arXiv:1505.02325vl [cs.GT] 9 May 2015 


Picking vs. Guessing Secrets: A Game-Theoretic 

Analysis 

(Technical Report) 

MHR Khouzani*, Piotr Mardzieh, Carlos Cid^, Mudhakar Srivatsa^ 

* Queen Mary, University of London 
I^University of Maryland, College Park 
^Royal Holloway, University of London 
§IBM T.J. Watson Research Laboratory 


Abstract —Choosing a hard-to-guess secret is a prerequisite in 
many security applications. Whether it is a password for user 
authentication or a secret key for a cryptographic primitive, 
picking it requires the user to trade-off usability costs with 
resistance against an adversary: a simple password is easier 
to remember but is also easier to guess; likewise, a shorter 
cryptographic key may require fewer computational and storage 
resources but it is also easier to attack. A fundamental question 
is how one can optimally resolve this trade-off. A big challenge 
is the fact that an adversary can also utilize the knowledge of 
such usability vs. security trade-offs to strengthen its attack. 

In this paper, we propose a game-theoretic framework for 
analyzing the optimal trade-offs in the face of strategic adver¬ 
saries. We consider two types of adversaries: those limited in 
their number of tries, and those that are ruled by the cost 
of making individual guesses. For each type, we derive the 
mutually-optimal decisions as Nash Equilibria, the strategically 
pessimistic decisions as maximin, and optimal commitments as 
Strong Stackelberg Equilibria of the game. We establish that 
when the adversaries are faced with a capped number of guesses, 
the user’s optimal trade-off is a uniform randomization over a 
subset of the secret domain. On the other hand, when the attacker 
strategy is ruled by the cost of making individual guesses, Nash 
Equilibria may completely fall to provide the user with any level 
of security, signifying the crucial role of credible commitment for 
such cases. We illustrate our results using numerical examples 
based on real-world samples and discuss some policy implications 
of our work. 

Index Terms —Password Attacks; Attacker-Defender Games; 
Usability-Security Trade-off; Game Theory; Decision Theory; 
Maximin; Nash Equilibrium; Strong Stackelberg Equilibrium. 


1. Introduction 

Passwords remain the most common means of authen¬ 
ticating humans to computer systems. Yet, passwords are 
also among the most common points of failure of security 
systems nasi. According to an investigation report in 2011 
0, stolen login credentials accounted for nearly a third of 
corporate data breach incidents, out of which, more than a 
quarter were estimated to be carried out using a form of 
a guessing attack. Poorly chosen passwords undermine an 
otherwise secure authentication system. Users tend to choose 

This manuscript is the extended version of our conference paper (T). 


easy to remember passwords ISIIII. This is rationalizable as 
attempts in balancing usability costs with perceived security. 

Managing the utility vs. security trade-off is also a relevant 
problem in the application of cryptographic techniques, which 
usually rely on maintaining a key unknown to any adversary. 
Longer keys provide stronger security guarantees but at the 
same time inflict larger storage and computational costs on 
the system. Using cryptographic techniques, therefore, entails 
trading off utility for security, either through the choice of key 
size or the method of key generation. Either way, the decision 
must be made in the context of adversaries. 

Guessing attacks are often categorized as online and offline 
based on their context of execution 0. Online attacks involve 
interacting with the target system. In such an attack, adver¬ 
saries are often limited in the number of (failed) guesses they 
can make (within a certain time period) before the system 
prevents any further interaction. In the case of password 
authentication, this is usually an account lock-out that requires 
intervention of the legitimate user using an alternate channel 
of authentication (email, phone, etc.). 

In offline attacks, adversaries are assumed to have collected 
sufficient data to examine unlimited number of guesses, and 
are only constrained by their computational resources. In the 
case of password authentication, for example, this data can be 
the leaked hashes of user passwords, enabling the attackers 
to compute hashes of their guesses and compare them for a 
match, theoretically an unlimited number of times. Another 
example of an offline attack setting is when an adversary 
eavesdrops a cryptographic response to a predictable challenge 
in a challenge-response authentication protocol. Although un¬ 
limited in the number of guesses, adversaries in such offline 
scenarios still need to be wary of costs of trying guesses as 
computation of password hashes or cryptographic responses 
are not instantaneous or free (specially, noting that hash 
functions for hashing passwords are intentionally chosen to 
be slow on hardware to dissuade brute-force attacks). Hence, 
the response of such adversaries is governed by the compu¬ 
tational/time cost per each guess. An adversary may obtain 
a pre-computed list of hashes to remove (or a rainbow table 
to mitigate) the computational burden during the execution of 


the attack. In such cases, the bottle-neck becomes the storage 
requirement for such a table, which implies a cap on the 
number of available guesses, similar to the online case. 

We will collectively refer to passwords or cryptographic 
keys as secrets. We also use the terms Capped-Guesses and 
Costly-Guesses to respectively describe the following two 
settings: (1) adversaries are limited in their number of guesses, 
e.g. in online password attacks in the presence of a rate 
limiting mechanism, or in offline attacks that use storage- 
limited pre-computed tables; and (2) adversaries incur a cost 
per each guess, e.g. in brute-force offline attacks. Regardless 
of the type of the guessing attack, the inherent behavioral or 
systematic preferences over the secret space can be exploited 
by adversaries and boost their guessing efficiency. Therefore, 
any secret picking policy that aims to achieve a desirable trade¬ 
off between usability and security must evaluate the possible 
reaction of a rational adversary given their capabilities. In 
particular, it is insufficient to analyze the decisions of either 
the users or the adversaries without taking into account the 
reaction of the other. Game theory provides tools to analyze 
such strategic interactions. The notion of equilibrium, in 
particular, describes how rational parties would eventually 
behave when faced against each other by characterizing their 
mutually-optimal strategies. 

The basic question at the heart of this paper is the following: 
given a known uneven usability cost over the space of secrets, 
how can the defender optimally randomize in picking a 
secret? The main contribution of the paper is answering this 
fundamental question. Specially: 

• We present novel decision and game-theoretic models for 
both Capped-Guesses and Costly-Guesses settings that are 
simple enough to allow analysis yet general enough to cover 
all the cases described above. 

• We provide complete analysis of these games and discuss 
the security implications of the solutions. Specifically, we 
derive optimal secret selection policies with respect to differ¬ 
ent strategic metrics, namely, the strategically pessimistic so¬ 
lutions (Maximin), the mutual-best-response solutions (Nash 
Equilibria - NE), and the optimal commitment strategies 
(Strong Stackelberg Equilibria - SSE). 

• Eor Capped-Guesses settings, we show that, interestingly, 
the optimal picking strategies still constitute uniform distri¬ 
butions despite the uneven preferences of the picker over 
the secret space. The trade-off is achieved by randomizing 
only over a (lower cost) subset of the secret space, while 
the probability distribution over the subset is uniform. The 
size of the subset is influenced by the picker’s trade-off 
parameters and (only) the cap on the available guesses. The 
optimal guessing strategies are restricted to the same subset 
though they are not uniform. Instead, the guesser probes 
the picker’s more favored secrets in that subset with higher 
probabilities. We also show that for this scenario, all of the 
different strategic metrics of Maximin, NE and SSE lead to 
the same solution for the picker. 

• Eor the Costly-Guesses settings, we find a surprising result, 
reminiscent of the prisoner’s dilemma situation: aside from 


trivial cases, the NE strategies of the picker fail to yield 
any desirable security level, irrespective of the size of 
the secret space or the cost associated with the loss of 
the secret. We demonstrate how the picker can retrieve a 
desirable usability-security trade-off using commitment to 
optimal randomizations. We also notice that these optimal 
commitment (SSE) strategies for this case are almost never 
completely uniform, though they resemble uniform selec¬ 
tion, with diminishing tails on costlier secrets. 

• We provide numerical illustrations of our analyses using 
examples such as the leaked Rock You password dataset and 
cryptographic keys with increasing costs in their size. 

The paper is structured as follows: Sec. |I^ introduces the 
building blocks of our non-zero-sum two-player game between 
a picker and a guesser. In Sec. m we present the model 
for Capped-Guesses scenarios and introduce different game 
theoretic notions of a solution, which we fully derive in 
Sec. IV In Sec|V] and VI we present the model and analysis 
of the Costly-Guesses scenarios. In Sec. VII we comment on 


some of the implications of our results. A brief overview of 
related literature is discussed in Sec. VIII A summary of our 
results and some suggestions for future directions of research 
concludes our paper in Sec. IX The technical proofs of the 
results are all aggregated in the Appendices of this technical 
report. 


II. Model 

In what follows, we progressively construct the model of 
our non-zero-sum two-person games between the picker, and 
the guesser. Critically, we assume that the parameters of the 
games are “common knowledge”, i.e., both players are aware 
of the presence and type of the game, the utilities and the 
information available to each other. 

The picker (she) chooses a secret from the finite set of all 
secrets V = {pi, ■ ■ • ,P|7:3|}. Let d G V denote a pure (i.e., 
deterministic) action of the picker. V is thus the picker’s pure 
action set. The picker has uneven preferences over this set 
of secrets. In the case of password selection, for instance, 
this preference could be related to the memorability and ease 
of use: simpler passwords are easier to remember and less 
cumbersome to type in. In the spirit of the von Neumann- 
Morgenstern utility theorem 13, we model these preferences 
by assigning different costs to different secrets]^ Specifically, 
let the whole set of secrets be partitioned into disjoint non¬ 
empty subsets £i, ..., Sjsi, i.e.. Si ^ % for all i. Si G Sj = % 
for i ^ j and ufL^Si = V, such that the picker incurs 
a usability cost of Ci if she picks any of the members of 
the set Si as her secret. Without loss of generality, assume 
0 < Cl < ... < Cat. Hence, in the absence of any other 
considerations, the picker prefers to choose her secret from set 
Si rather than Sj when i < j, as she assigns a lower usability 
cost to secrets from the first set. These data are determined, 
for instance in the case of password choice, by statistical 

'Note, however, that we assume the usability costs and security costs of 
the picker are additive through an appropriate scaling. 
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Fig. 1. (Top) Rock You dataset password frequency and the derived cost 
model. (Bottom) Fraction of passwords guessed as a function of number of 
guesses. 


investigation of the past databases of cracked passwords, e.g., 
as published in mniini. Alternatively, these sets can represent 
passwords that minimally satisfy an increasingly more complex 
password creation rule-sets. For instance. Si can be the set of 
all dictionary words in lower case, S 2 the set of all dictionary 
words but requiring a mix of capital letters, £3 having the 
additional rule of including a number as well, £4 requiring a 
symbolic character too, etcj^ 

The guesser (he) makes guesses about the choice of the 
picker. Upon the discovery of the secret, i.e., a correct guess, 
the guesser wins a gain of 7 > 0 , and the picker incurs 
a loss of A > 0. The guesses are either constrained in 
number or subject to cost. We will investigate these two 
cases separately in Sections III and [V] respectively. In what 
follows, we provide two numerical instances of the model. 
Note that these numerical examples are mainly for the purpose 
of illustrating the analysis. 



Fig. 2. Synthetic cost model for selection of cryptographic keys, with cost 
proportional to linear and cubic power of key length. 


passwords in the whole dataset. The passwords in the figure 
are ordered in decreasing frequency of appearance. 

The dashed line in Fig. [T] (bottom) demonstrates the strength 
of the passwords in the dataset using a simple metric quanti¬ 
fying the likelihood of a successful brute-force attack against 
a uniformly picked user in the dataset as a function of number 
of guesses, assuming the attacker knew the exact distribution 
of passwords in the dataset. As a frame of reference, we 
also include a similar metric assuming the users picked their 
password uniformly from the 11884632 different passwords in 
the dataset (solid dark line) or if all 32 million users picked 
their passwords uniquely (solid light line). 

As a candidate for the partitions, we group the passwords 
based on their frequency of appearance as an indirect measure 
of their cost. Namely, we group the passwords with the highest 
frequency in Si, passwords with the second highest frequency 
in S 2 , so on, which makes the last partition £2040 as the set of 
all the passwords that appear only once. We use the inverse of 
frequency of a password as a rough estimate of its usability 
cost. After normalization, we set the usability costs to range 
from Cl = 1/290729 to C 2040 = 1- The cost associated with 
each partition can be seen as the dotted line in Fig. [T] (top). 

In Section IV-A and Section VI-B we will compare the 
behavior of users in the dataset to that of their equilibrium 
behavior for each of our two attack settings. 


B. Cost Example: Cryptographic Keys 


A. Cost Example: Passwords 

The Rock You password dataset ifT^ contains the passwords 
of around 32 million users of the RockYou gaming site. The 
data-breach that produced the list was particularly costly as 
the site did not bother hashing its users’ passwords. The list 
is complete, containing both very common passwords (the 
password “123456” occurs 290729 times), as well as many 
unique ones (2459760 passwords appear only once). As a 
result, the list has been studied extensively E noi [iMia. 
Fig. E (top) summarizes the frequency (dark line) of the 

^It is natural to assume that these partitions are common knowledge as sets 
as opposed to lists. In particular, no specific indexing of the members of a 
partition is common knowledge, and hence, the solutions must be symmetric 
within the partitions. Nevertheless, we provide our analysis agnostic of 
any assumption about existence of a common indexing inside partitions. 
Symmetric solutions can then be extracted. 


The selection of secret keys for cryptographic protocols is 
usually out of the hands of humans, nevertheless, the design 
decision of picking the strength of the key (usually a function 
of its length) entails the same cost/risk trade-offs. 

Fig. E summarizes the space of possible keys for two 
hypothetical cryptographic constructs. In both we assume a 
key can be anywhere between 0 and 64 bits. The examples 
differ only in the costs associated with each key. A cost linear 
in the length of key approximately models the trade-off in 
symmetric key systems such as AES which uses a number of 
rounds proportional to key length. The cubic relation is more 
appropriate approximation of public/private schemes such as 
naive implementations of RSA whose computation time scales 
cubically with key length ED. Note that in our analysis we 
will assume that the length of the key is not known to a 
guesser, something that is usually not true of public/private 
















schemes. 

In Sections [IV^ [yl^ j^we examine the equilibrium 
strategies of the picker and guesser given each of these two 
cost models. 


III. Capped-Guesses 

In the Capped-Guesses scenario, the guesser, without ob¬ 
serving the action of the picker, chooses at most K elements 
from the set of possible secrets V, as his guesses. We assume, 
naturally, that K does not depend on the actual guesses chosen. 
The pure action of the guesser, which we denote by A, is 
hence a subset of P of size K, since it is in the guesser’s best 
interest to use all K of his guesses. In the case of password 
selection, for example, each action represents an instance of a 
pre-computed table with which the guesser chooses to launch 
a dictionary attack. The action set of the guesser is therefore: 
A := {A\A C V, |A| = K}, the set of all possible pre¬ 
computed tables of size K. The number K represents the 
prowess of the guesser determined by the physical limitations 
in place: for instance, in the case of pre-computed table attacks 
on passwords, K is determined by how much memory each 
hash entry occupies and how much total memory the attacker 
has available for the table. Alternatively, in an online password 
attack, it can be the number of tries he is allowed to make 
before getting locked out. We assume K < \V\ = 1^*1’ 

since otherwise, the guesser trivially can find the secret with 
certainty. A (pure) strategy profile here is simply a pair of 
picker and guesser actions, (d, A) G V x A. 

The problem is the following: determine best strategies for 
the picker to choose her secret and the guesser to construct 
his guessing dictionary, when both parties are rational decision 
makers. The problem can be modeled as a simultaneous move 
game. Note that in game-theory, the term “simultaneous move” 
does not necessarily imply synchronicity, rather, the lack of 
observation of the move of other players (or any signal about 
it) before making a move. Otherwise, there is a sequentiality 
in the occurrences of the actions taken in our problem: the 
picker picks first. In our Capped-Guesses game, the “actions” 
and “strategies” simply coincide. To complete the model, we 
next provide the utilities of the players given a strategy profile 
(d, A). Let un and ua represent the utilities of the picker and 
the guesser respectively. Compactly put, we have: 

U£)(d, A) =-c(d) - AlA(d), MA(d, A) = 7 lA(d) (1) 

where 1 represents the indicator function]^ and c(d) := 
Eili C'il£.(d) is the usability cost of secret d. Note that this 
summation only contains one non-zero element: if the picked 
secret is from partition 8i, she incurs the usability cost of Ci. 
A list of the main notations is provided in Table 

Solution Concept 1 - Nash Equilibria (NE): A solution 
of a game is a prediction of how rational players facing it 
may take decisions. A commonly used notion of a solution 
is Nash Equilibrium (NE in short), which informally put, is 

^The indicator (characteristic) function of a subset y of a set X is a 
function ly : X —> {0,1} defined as the following: ly (x) = 1 if x S y, 
and ly(x) = 0 if x ^ y. 


TABLE 1 

List of main notations 


Notation 

Definition 

Si 

Set of secrets with the same cost of picking Ci 

r,N 

Set of all secrets. Number of its partitions 

Ci 

Cost of picking a secret from set Si, incurred by the 
picker 

K 

Number of attempts available to the guesser in 
Capped-Guesses (size of his “table”) 

a 

Cost of each attempt of the guesser in Costly-Guesses 

7 

Gain earned by the guesser if any of his guesses is 
correct 

A 

Loss incun'ed by the picker if the secret is found by 
the guesser 

c{d) 

Picker’s usability cost for picking secret d. Short for 

E^ica£,(rf). 


a strategy profile that consists of simultaneously optimal re¬ 
sponses to each other, keeping the others’ strategies fixed, i.e., 
strategy profiles that are resistant against unilateral deviations 
of players. Eormally, in our two player game, this means the 
following: the strategy pair (d*,A*) G P x A is a (pure) 
NE if and only if: d* G argmax^gp M£)(d, A*) and A* G 
argmaxAGA'WA(d*, A), in Q, i.e., unid*, A*) > UD{d,A*) 
for all d G 7^ and UA^d*, A*) > UA(d*, A) for all A G A. 

It is not difficult to see that “pure” Nash Equilibrium is 
not a suitable solution concept for our game. In fact, except 
in trivial cases, no pure NE exists. This is because a pure 
strategy of the picker means selection of a specific secret. The 
best response of the guesser is then simply to include that 
secret in his guess dictionary. But then, the picker would have 
been better off to deviate and choose a different secret and not 
incur the potentially huge cost of having her secret revealed 
with certainty. In other words, deviation from any pure action 
(except in trivial cases) is beneficial for the picker. A similar 
argument can be made for the guesser. 

The above discussion motivates the search for a solution 
among mixed strategies, which involve randomization thereby 
injecting ambiguity about the choice of each player. Specifi¬ 
cally, a mixed strategy of a player is a probability distribution 
over her set of pure strategies. Eor any finite nonempty set S, 
let A{S) represent the set of all probability distributions over 
it. That is: 

A{S) := {,TeK+'‘"'|^,T(s) = l} 

sGS 

Eor a given probability distribution cr G A(S), let the support 
of cr, or supp((t), denote the subset of the domain of cr that 
receives a strictly positive probability, that is: 

supp(cr) := {s G 5|cr(s) > 0}. 

Moreover, for a given probability distribution cr G A{S) and a 
given subset S' C S, let represent the probability mea¬ 

sure of S' with respect to cr, that is, let cr(iS') := J2seS' 

Let S and a represent a mixed strategy of the picker 
and guesser respectively. We hence have: S G A(P) and 
a G A (A). Following a common abuse of notation in game 
theory, let UB(d,a) and UA(d,a) be the expected utility 











of the two players given a mixed strategy profile {d, a) G 
A{'P) X A(^) where the expectation is taken with respect to 
the independent randomizations in the mixed strategies. That 
is: UD{S,a.) :=A)S{d)a{A), and likewise 
for UA{S,a.). Replacing from ([T]i, we have: 

UD{S,a.) = — ''^^c{d)d{d) — X lyi(d)5((i)a(A) (2a) 

dev dev,AeA 

UAiS,a)="f ^ lA{d)S{d)a{A) (2b) 

dev,AeA 

Note that we are assuming randomization per se is costless. 
A mixed strategy of the guesser, a G A(^), specifies the 
probability that each feasible dictionary (table) is selected. For 
our model, it is often simpler to instead specify the marginal 
probabilities that each secret is tried by the guesser. Specifi¬ 
cally, let us define p such that p(d) denotes the probability that 
secret d is in the (AT-sized) table of the guesser. p and a are 
related through: p(d) = JJagA ^A(d)o;(A). Moreover, using 
the notion of probability measure and the fact that all members 
of the same partition by definition have the same choosing cost 
for the picker, we have: c(d)S(d) = CiS(£i). 

Hence, the expressions in Q can be simplified as: 

N 

ud{S, p)=-Y1 - a ^ S{d)p{d), 

i=i dev ( 3 ) 

ua{S,p) ='r'^d{d)p{d) 

dev 

A mixed NE is defined in the same way as a pure NE, except 
that the optimization variables and the optimization spaces are 
replaced accordingly. The set of pure NE are contained in the 
set of mixed NE, since pure strategies can be obtained from 
degenerate distributions over the strategies. That is, a mixed 
strategy profile {6*, a*) is a mixed NE iff: 

UD{S*,a*) > ud{S,cx*), UA{S*,a*) > UA{S*,a). 

VSeAV VcxeAA 

Solution Concepts 2 & 3 - maximin and minimax: A 
(mixed) strategy of the picker g A (7^) is a maximin 

strategy of hers if and only if: 

cmaxiniin ^ „ r ■ \1 

o Gave max min UD(o,a.)\ 

SeA{V)aeA{A) 

Let ujjid) := minQ,g^(^) UD{d, a), which is the worst utility 
of the picker among all reactions of the guesser if she chooses 
the mixed strategy of 5. Then maximizes ud{S), 

achieving the maximin utility, which we will denote by 
This is the mixed strategy that guarantees (secures) the picker 
at least her maximin utility irrespective of the strategy of the 
guesser. Eor this reason, maximin strategies are sometimes 
also referred to as “security” strategies, maximin strategies are 
recipe for action when a player is strategically pessimistic, in 
that she believes the opponent(s) behave in such a way to hurt 
her utility the most, as opposed to selfishly maximize their own 
utilities. Hence, the focus is solely on the utility of that player, 
and rationality of other players is not taken into account. 


This is conceptually different from a minimax 
strategy of a player. Formally, 
a picker’s minimax strategy if and only if: 
^mmimax ^ arg min^gACP) [niax„gA(yt) WA(^, «)]■ Let 
Wa{S) := maxQ,gA(^)a), which is the best utility of 
the guesser among all of his reactions if the picker chooses 
the mixed strategy of S. Then minimizes UA{d), 

guaranteeing that the utility of the guesser is bounded by 
his minimax utility, denoted by uAmin- That is the strategy 
that the picker can adopt to hurt the utility of the opponent 
(the guesser) the most, ignoring her own utility. In zero-sum 
games, the utility of each player is negative (i.e., additive 
inverse) of the of other. Hence, hurting the expected pay-off 
of the opponent the most is exactly equivalent to helping your 
own expected pay-off the most. This means that minimax 
and maximin strategies of each of the players coincide. But 
this in general does not extend to non-zero-sum games. 
This is exactly the situation in our game. It is easy to 
see that the minimax strategy of the picker is simply to 
uniformly randomize over the entire set of secrets, effectively 
maximizing the ambiguity, minimizing any useful information 
that the guesser can exploit. However, this completely ignores 
the cost of choosing costly secrets. As we will show, the 
maximin strategy of the picker is in general different from 
uniform randomization over the entire set of secrets. 

Likewise, we can speak of the maximin and minimax strate¬ 
gies of the guesser: Q,maximin g A (A) is a maximin strategy of 
the guesser if and only if: Q,™aximin g arg maxQ,gA(yt) ua{o(.) 
where ua{(a) := min 5 gA(P) o:)- Here also the dis¬ 

tinction between the maximin and minimax strategies can be 
observed. Specifically, if the guesser is on the (pessimistic) 
belief that the picker is trying to hurt his utility the most (or 
equivalently plan according to the “worst case scenario” of the 
strategy of the picker irrespective of her rationality), he should 
select his K guesses uniformly randomly over the entire set 
of secrets. This approach ignores the pay-off structure of the 
picker and hence does not take advantage of the presence of 
the preferences of the picker over the secrets. We will see how 


the guesser can exploit this knowledge in Sec. IV 


Solution Concept 4 — Strong Stackelberg Equilibria 
(SSE): Consider the situation in which the picker has the 
power of credible commitment to a mixed strategy. Note 
that this is in general different from commitment to a pure 
strategy and requires a different “apparatus”. The relevant 
solution concept for these cases is the Strong Stackelberg 
Equilibria, which intuitively put, are the best mixed strategies 
that the leader (picker in our case) can commit to, knowing 
that the follower (guesser, here) will observe this commitment 
and will respond selfishly optimally to it. In order for the 
solution concept to exist, it also needs the extra assumption 
that whenever the follower is indifferent between a set of best 
responses, he will break ties in favor of the leader. This is 
a benign assumption, because the leader can turn any of the 
indifferent best responses of the follower to a strict preference 
through an infinitesimal modification of her mixed strategy. 
Note that a (pure) strategy of the follower is now a function 



Game 1: Capped-Guesses 

Players: Picker, Guesser 
Strategy Sets: Picker's: {d&V} 

Guesser' s: {gI c 7^, \A\=K} 

Utilities: Picker: UD{d,A) = —c{d) — AlA(d), 
Guesser: UA{d,A) = 'ylA{d) 


of the commitment distribution of the leader. That is, if the 
follower is the guesser, a pure strategy of the follower is a 
mapping from A{V) to A. Formally, in which 

5* G A{V) and : A{'P) ^(Al), constitutes a SSE 

if and only ifj^ 

1) S* e argmax^gACP) 

2) G argmax„eA(,4)MA(^,Q:) 

3) Q: (^) G arg maXo,/((5,a) tr_D (<5, Q; ) 

IV. Analysis of the Capped-Guesses Scenario 

As our main result for the Capped-Guesses scenario, we 
provide a sufficient condition for a strategy pair to be a mixed 
NE (Prop. [^. We show that the NE and maximin strategies of 
the picker coincide (Lemma [^. This useful property leads us 
to other implication: all NE are interchangeable (Corollary [T]) 
and they all yield the same utility for the picker (Corollary 13. 
Another implication of the lemma is that for this scenario, 
the set of optimal mixed strategies of the picker to commit to, 
i.e., her SSE strategies, are also the same as her NE strategies, 
and moreover, they attain her the same utility as any NE does 
(Corollary |^. Einally, we provide a mild constraint under 
which the sufficient conditions provided in Prop.[2for a mixed 
strategy of the picker to be a NE are also necessary conditions, 
implying uniqueness of the description of the NE for almost 
all instances of the game (Corollary |^. These results fully 
characterize the solution of the Capped-Guesses game. The 
proofs of the results in this section can be found in Appendices 
[A| through 

Eirst, note that following Nash’s Theorem, our finite game 
has at least one mixed NE. The existence of maximin, minimax 
and SSE solutions also follow standard results in game theory 
El. In order to explicitly describe the NE, we need to define 
a few parameters. Let: L := mini<;<A I s.t. X]i=i 1^*1 > 
Note that in part this means: |U™ < K for any m < L 

(recall that K is the dictionary size of the guesser - the 
available number of guesses to the adversary). Now suppose 
the picker chooses her secret according to a randomization 
only from the first m (cheapest) partitions where m < L. 
Then the guesser can correctly guess the secret with certainty, 
because he can simply include the entire in his 

guessing dictionary. Hence, for the picker, the (strictly) best 
among such options that lead to certain loss of the secret is 
simply picking from the cheapest partition which yield her a 

'^The superscript BR is chosen to stand for “best response”. 


Utility of —Cl — A|^ The picker can reduce the chance of a 
correct guess by randomizing over partitions beyond U™ i^i, 
but then the picker has to balance usability costs with the gain 
in increasing the entropy. Define: 


J:=lL<j <N\XK- 


j-i i-i 

^c,|£:,| >c,V|£:. 


2=1 


. I 
2=1 


(4) 


That is, J characterizes the partitions for which the inequality 

of AiT/(ECi m > c, holds. 

Since only j > L ctre considered, we have K < (EUm- 
In particular, suppose the picker uniformly randomizes over 
unif(u7“j'^£'i). Then, irrespective of the strategy of the guesser 
as long as its support is unif(u7“j’^5i), his chance of finding the 
secret is exactly \di\), and hence the security cost 

of the picker is \di\)- Moreover, the usability cost 

of the picker for uniformly randomizing over unif(u7“j'^f j) is 
Ci\£i\)/{f^Ai\\£i\). Therefore, the condition in the 
definition of J translates to the following: j G ^7 if the 
usability cost of choosing from £j is less than the overall cost 
(security and usability cost) of uniformly randomizing over 
the (combined) first j — 1 (cheapest) partitions]^ 

If 7 0’ define J := max J'. We label the cases where ei¬ 
ther ^ = 0 or Cl + A < (Eti C,\£,\ + Xk) / (^ti |^^|) 
as “total defeat”, since in such cases the picker chooses 
her secret from the cheapest partition, £i, knowing that her 
choice will be guessed correctly, because it is not worthwhile 
(or not possible) for her to try to prevent it. We will refer 
to all other situations, i.e., when we have J % and 
Cl -f A > C^\£i\ + Xk'^ / as “ordinary” 

cases, since, as we show, it is worthwhile for the picker to try 
to avoid certain revelation of her secret. 

Recall that p*{p) = {A)\a{p) is just the prob¬ 

ability that secret p will be among the K selections of the 
guesser, given his mixed strategy of a*. We now mathemati¬ 
cally present the NE strategies and subsequently describe them 
in words: 

Proposition 1: Eor the “ordinary” cases in a Capped- 
Guesses game, consider a strategy pair {d*,cy.*) where: 


d* = um^{utl£^), 


and: 

K 

P*{p) = —7 - Bi, \/p G £i where i < J (5a) 

^j=i \d'j\ 

p* (p) = 0, Vp G £i where i > J (5b) 


^In the language of game theory, any mixed strategy of the picker that only 
randomizes over where m < L is strictly dominated by strategies 

that only randomize over Si. 

^With simple algebra, the condition can be shown to be equivalent 
to the following: [\K/{Yfrl\£A) + (Jftl Ci\£i\)/{Yfrl\£i\)] > 
[^.ff/(ELl \^i\) + (ELiC'i|G|)/(ELl l^il)]- In words, j G J if the 
overall cost of uniformly randomizing over the combined first j — 1 partitions 
is more than that of uniformly randomizing over the combined first j partitions 
for the picker. This in turn implies that, for the picker, uniform randomization 
over the first j — 1 partitions is (weakly) dominated by uniformly randomizing 
over the first j partitions. 




where B, := 

Then, the strategy pair (S *, a*) is a (mixed) NE. For the “total 
defeat” cases, consider a strategy pair (S*,q:*) that satisfies 
the following: 


Picker: ^*(£i) = 1 


Guesser: 


P*(P) > 1 - '^P € fi, i < J, 


p*(p) = 0 


Vp G £i,i > J 


( 6 ) 

(7) 


Then {S*,a*) constitutes a NE. 

In words, for the “ordinary” cases, the proposed NE is 
the following: the picker chooses her secret only from the 
first J partitions, i.e., the J most favored partitions, and does 
so uniformly randomly. Note in particular that the preference 
profile of the picker only affects her NE strategy through the 
number of partitions that constitute the domain of secrets to 
choose from, but the randomization over this domain is always 
uniform, despite the uneven preferences over them. 

On the other hand, the guesser, knowing the picker does not 
choose her secret with any positive probability from partitions 
beyond £j, does not include any guesses from them either 
( |5b| l. The guesser selects uniformly randomly within partitions 
1,..., J but not across them. That is, even though the secrets 
from the same partition are equally likely to be part of the 
guessing dictionary of the guesser, the secrets from partition 
i < J are chosen with a bias equal to Bi away from uniform 
guessing. This is despite the fact that the picker chooses her 
secret uniformly randomly from the first J partitions. Indeed, 
as we discuss in the proof, the guesser explores the relatively 
favored partitions of the picker among the first J partitions 
with a positive bias compared to her relatively less favored 
partitions. Specifically, the bias is exactly such that the picker 
is indifferent about choosing the secret from any of the first 
J partitions. 

For the cases of “total defeat”, the picker simply chooses 
her secret from partition £i, the least costly partition, and the 
guesser includes all of that partition into his dictionary, along 
with other partitions such that the picker is forced into picking 
her secret only from the cheapest partition. Thus, the secret 
will be discovered by the guesser with probability one. Note 
that, interestingly, the NE was not at all affected by 7 , the 
gain parameter of the guesser. 

Our next series of results describe the properties of the NE 
in regards to other strategic metrics. Note that establishing 
these results do not rely directly on the explicit expression of 
the NE in Prop. [T] 

In general, playing NE strategies by by a player conjures the 
assumption that the other player(s) are indeed rational, in that, 
they are interested in maximizing their own utility as opposed 
to antagonistically trying to minimize the utility of that player. 
But what if this rationality assumption cannot be made in our 
case regarding the guesser? Our next observation dispels that 
concern by establishing that for the Capped-Guess scenarios, 
NE strategies of the picker are her maximin strategies and vice 
versa. 


Lemma 1: Let be the set of NE strategies of the picker 
and be the set of her maximin strategies in a game 

of Capped-Guesses. We have: 

The lemma establishes that the picker can randomize ac¬ 
cording to her NE and (in expectation) be guaranteed at least 
the expected utility prescribed by the NE, irrespective of 
the mixed strategy of the guesser, be it a NE or not. From 
a different viewpoint, the picker can act according to her 
pessimistic maximin strategy, but be assured that she does not 
lose anything in expectation by not playing a NE. Note that 
this property only holds for the NE strategy of the picker and 
not of the guesser (Recall that the maximin strategy of the 
picker is choosing his K guesses uniformly randomly from 
the entire secret space V). 

Here, we just mention the gist of the proof.Detail of the 
proof is in Appendix |^The argument starts by noting from 
^ that for any 5 G A{V), a* G argmax„gA(yt) ck) 
if and only if: a* G argmin„g/^(^) a). To see this, 

note that the pay-off of the picker is composed of two parts, 
the first part is the expected cost of choosing the secret, 
and the second part is the expected cost of losing it. For 
any given mixed strategy of the picker, the guesser can only 
affect the second part of the utility of the picker. Specifically, 
un(^,o:) = —(A/j)ua(^, a) +(/>(S), where —(A/ 7 ) < 0 and 
(/>(S) is an expression that does not depend on a. That is, the 
(rational) best response of the guesser to any “given” strategy 
of the picker, also yields the worst utility for the picker. Hence, 
assuming a rational best response and strategically worst case 
scenario become equivalent for the picker. 

Next two results (corollaries of Lemma [T} establish the 
interchangeability of the NE and remove the concern of 
“Equilibrium Selection” in games of Capped-Guesses. 

Corollary 1: Interchangeability of NE (I): If 
and (^* 2 ,Q:* 2 ) are both NE in a game of Capped-Guesses, 
then so are (^*i,a* 2 ) and (^* 2 ,a;*i). 

This corollary shows that if at all there are more than one 
distinct NE present, then no matter which NE strategy each 
player chooses to play, the outcome is still a NE. The next 
corollary further shows that, even if there were multiple NE, 
there is no question of preference between them for the picker, 
since her utility is the same in all of them: 

Corollary 2: Interchangeability of NE (II): All NE in a 
Capped-Guesses game yield the same utility for the picker. 
Specifically, if (^*, a*) is a NE of the Capped-Guesses game, 
then: ud{S*,ol*) = 

These two results imply that, as far as the picker is con¬ 
cerned, it suffices to to find “a” NE, as we did in Prop, 
which is in general easier that finding the set of all NE. 
Although in our game, we will show that, almost in all cases, 
the NE is in fact unique (Corollary|^. The next corollary states 
that a NE strategy of the picker is also an optimum strategy 
of her to commit to, and vice versa. 

Corollary 3: In a Capped-Guesses game, let Hggg be the 
set of picker’s SSL strategies. Then: Hggg = 

As in Lemma [T] the corollary follows by showing that 
given the committed strategy of the picker, the guesser will 







try to maximize his own utility, which in our Capped-Guesses 
game, is exactly what he would do if he wanted to minimize 
the utility of the picker. Hence the best mixed strategy to 
commit to by the picker is exactly the strategy that maximizes 
her minimum utility, i.e., her maximin strategy, which we 
previously showed to match the NE strategies. Intuitively, this 
is because in the Capped-Guesses model, the guesser will enter 
the game irrespective of the randomization strategy of the 
picker, and use all of his K attempts. Moreover, he chooses his 
K guesses so as to maximize the chances of finding the secret, 
which is exactly antagonistic to the utility of the picker given 
the randomized strategy of the picker (refer to the discussion 
after Lemma [^. 

Note that the ability to commit to a mixed strategy is 
guaranteed not to hurt the “committer” (leader), since the 
leader can always commit to her Nash strategies and yield at 
least her Nash utilities im. Or commit to a maximin strategy 
and guarantee her maximin utility. But in general, she may be 
able to do better and improve upon her Nash Equilibria. Even 
in the presence of Corollary]^ due to the property that in SSE, 
the follower breaks ties among his best responses in favor of 
the leader, identical SSE and NE strategies of the picker may 
lead to distinct utilities for her. However, the following lemma 
establishes that for the game of Capped-Guesses, this is not 
the case; the power to commit does not “buy” the picker any 
extra benefit. Specifically, the utility of the picker when best¬ 
committing is no better than her maximin utility. 

Corollary 4: Let (^*, be a SSE of a Capped-Guesses 
game. Then we have: ud{S* , 

This result can also be expressed in the measure of the 
“value of mixed commitment” as discussed in IH: the value 
of mixed commitment for the picker in Capped-Guesses 
games is one, i.e., commitment achieves nothing above what 
is achievable in NE, and hence there is no advantage in 
commitment. As we will see in Section VI this is drastically 
different from the situation in Costly-Guesses scenarios. 

Corollary 5: The NE strategies of the picker as described 
in Prop. are also maximin and SSE. Moreover, her utility in 
all NE and SSE is her maximin utility, given as: = 




XK 


eU 


in “ordinary” cases. 


‘total defeat” cases. 


and = —Cl — A in ‘ 

The next corollary is rather less important in characteriza¬ 
tion of this game in the light of Corollary Nevertheless, 
it also shows that not only the utilities, but in fact even the 
equilibrium strategies themselves are almost always unique. 
This removes the question whether there may be other simpler 
to play NE of the game than presented in Prop. [T] (even though 
the NE for the picker is quite simple as is). The answer is 
no, almost never. Referring to the definition of J in Q, it 
allows to have Cj\8j\ + XK^ = Cj (E/=i 

We will refer to such a case as a degenerate case, which 
is completely identifiable from the parameters of the prob¬ 
lem. For all other (“non-degenerate”) cases, the condition 
Cj\£j \ + XK^ > Cj l^il) is strictly satis- 

hed. 
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Fig. 3. (Top) Picker loss (solid) and corresponding key space size (dotted) 
as a function of the number of available guesses to the adversary for different 
values of loss (A). (Bottom) Chance of a coiTect password guess as a function 
of the number of guesses in RockYou dataset and for a range of loss (A) values. 


Corollary 6: Aside from degenerate cases identified above, 
the sufficient conditions for a NE strategy prohle provided in 
Prop. [T] are also necessary. 

Note that the corollary in part implies that for “non¬ 
degenerate” “ordinary” cases, the NE is unique. 

A. Equilibrium Example: Passwords 

Fig. 1^ summarizes the equilibrium behaviors of the picket- 
engaged in the Capped-Guesses game. The top part of the 
figure shows picker loss (negative of the utility) as solid lines 
and the size of the support set over which the picker chooses 
his passwords, as the dotted lines. The bottom part of the figure 
shows the probability that the password would be found by the 
guesser. All of these are shown as functions of the number of 
guesses available to the guesser and for two different values of 

A. Recall that the cost of picking passwords was normalized. 
In this manner A serves as the cost of security losses for having 
the password guessed relative to the usability cost. 

As the adversary is granted more guesses, the picker has to 
include a larger subset of passwords to (uniformly) randomize 
over. When this support set is exhausted or the additional cost 
exceeds the benefits, the picker gives up and picks only the 
cheapest password (“total defeat”). For high values of A, the 
picker never gives up, specifically, for large enough number 
of the available guesses, the picker uniformly randomizes over 
the entire set of passwords. 

B. Equilibrium Example: Cryptographic Keys 

Fig. 0 demonstrates the result of equilibrium key picking 
and key guessing. The top part of the figure shows the loss 
incurred by the picker in the two different cost models (linear 
or cubic in key size) as a function of the number of available 
guesses. The middle part of the figure focuses on the size of the 



















Fig. 4. Equilibrium in the Capped-Guesses model for key selection. 
(Top) picker loss as a function of number of available guesses. (Middle) the 
corresponding size of the support set. (Bottom) the resulting chance of picker 
successfully finding the key. All with A = 1000. 


key space that the picker is forced to choose from. The bottom 
of the figure shows the resulting probability that the key will 
be discovered using K brute-force guesses. For brevity we 
only included in the graph the results for when A = 1000. 
Note that the differing cost models do not have much impact 
in this scenario and are overshadowed by the magnitude of 
the exponentially increasing key space that is available to the 
picker. 

For comparison purposes, the dashed line in the figure 
represents the fixed picker behavior that chooses from among 
only the 32 bit keys and incurring a linear cost of picking, 0.5. 
The top of the figure shows that this strategy does worse in 
terms of loss than one which responds to adversary’s power. 

V. Costly-Guesses 

An alternative setting to a guesser with a limited number 
of guesses is one with costly actions: consider a guesser that 
incurs a cost of cr > 0 per each guess. To keep the model 
and analysis simple, we assume that this cost is not guess- 
dependent. In the case of passwords, for instance, this means 
that computation of the hash of a guess is independent of the 
guess itself, which largely holds for most hashing schemes. 

A pure strategy of the picker and her pure strategy set are 
the same as in the Capped-Guesses setting: the picker selects 
a secret d from the set of all secrets V. The guesser’s strategy, 
however, can no longer be simply modeled as a subset of 
guesses to try, because here, the order of guesses matters: if 
the secret is found, the guesser will stop the search and save 
on the exploration cost. As before, the guesser is strictly better 
off in expectation to avoid multiple tries of the same guess. 
Intuitively, a pure strategy of the guesser, as his plan of action, 
can be represented as a sequence of guesses without repetition, 
i.e., a permutation of a subset of V. The interpretation of a 


sample strategy A = {pi,... ,Pt) where pi G V for 1 < i < 
T < |7^|, will be the following: first try secret pi as a guess, if 
it is not correct, i.e., if the attempt fails, then try p 2 , if it fails 
try p 3 , and so on up to Pt, if Pr fails, then quit the search. 

For any set £, let Perm(f) represent the set of 
all ordered arrangements (sequences without repetition) 
of all the members of £, i.e., Perm(£’) := {A = 
(oi,...,a|£|)|{ai,..., 0 |f:|} = £}. Moreover, let T'(£') be 
the set of all permutations over the elements of the subsets 
of £, i.e., 5'(£’) := {A\3£' C £ such that A G Perm(£’')}. 
Using these notations, we can express the strategy space of 
the guesser A as A = (7^). Note that the empty sequence, 

which we denote by (quit) for better presentation, is part of 
the strategy space of the guesser as well, representing quitting 
before making any guesses. 

In Appendix we show how the specification of the 
strategy space of the guesser in Costly-Guesses scenarios can 
be formally derived from the standard game theory models of 
sequential games with imperfect information. Specifically, it 
constitutes the set of reduced pure strategies of a guesser with 
perfect recall (he remembers his past guesses). 

Given a (pure) strategy profile [d, A), we next compute 
the utilities of the two players: UD{d,A) and UA{d,A). First, 
some notations; we extend the notion of set memberships to 
permutations as well, i.e., for a sequence A = (oi,... ,ar), 
d G A \f and only if d S {oi,..., Ut-}. Let lyi(d) be the 
indicator function determining whether d appears on sequence 
A, i.e., whether d G A. Let pos^(d) refer to the position of the 
first appearance of d on sequence A \f d G A, and the length 
of sequence A otherwise. For instance, pos^^j (6) = 2 and 
POS(Q_;,_c) (s) = 3. Then we have (compare with Q): 

UD{d, A) = -c{d) - XlAid) 

(o) 

UA{d, A) = 7l,4(d) - crpos^(d) 

As in the Capped-Guesses setting, pure strategies may not 
be part of any solution concept, since a pure strategy for the 
picker translates to unambiguously revealing her secret. Hence 
we should be searching for solutions in the realm of mixed 
strategies. As before, let 5 and a. denote a mix strategy of the 
picker and guesser, where <5 G A(7^) and a G A(Al), with the 
only difference that A is now the set of sequences of distinct 
guesses, i.e., A = ^'(7^). From (|^, the expected utilities of 
the players given a mixed strategy profile (d, a) are: 


ud {5, a) = -A]c(d)<5(d)-A^ 1 A{d)S{d)cx{A) 
d£V AeA 

UA(<5,a)=7A^A^ ^Aid)S{d)a{A)-a^'^posAd)S{d)(x{A) 

d^VAeA deVAeA 

For any A = {ai)i, we have: Y.d(^v '^A{d)5{d) = 

Moreover: Y.d^v^‘^^Ai.d)d{d) = + 1^1(1 “ 

X)l=i ^(oi))- Hence: 


|A| 

ua{S, A) = 7 ^ S{ai) — a 

i=l 


|A| 


|A| 


5Z*<5(«0 +1^1(1 - A^<5(ai)) 


(9) 



















Game 2: Costly-Guesses 

Players: Picker, Guesser 
Strategy Sets: Picker's: {d£V} 

Guesser's: {^|3£ C V such that A G Perm(£)} 
Utilities: Picker: UD{d,A) = —c{d) — AlA(d), 
Guesser: UA{d,A) = 'ylA{d) — crpos^(d) 


An alternative method to derive the expression for ua{S,A) 
is the following: is just the probability that any of 

the tries on sequence A is the correct guess. Given S and A, 
the search reaches in A with probability 1 — 

Hence, the expected number of tries is '^(uj))- 

Therefore: 


UAiS,A) = 7 


l-4| 

E 

i=l 


\A\ 

d{a,) - 


2=1 


2-1 

1 -'^S{aj) 


( 10 ) 


This is equivalent to the expression in (|^. In our analysis, we 
will use either one of the two forms based on convenience. 


All of the solution concepts introduced in Section III 


can 


be identically defined here as well. We will explore them in 
detail in the next section. 


VI. Analysis of the Costly-Guesses Scenario 

Before we delve into the analysis of the Costly-Guesses 
scenario, we present a simple yet instrumental lemma: 

Lemma 2: Let £ be a non-empty subset of V, and let 
unif(£’) represent the uniform distribution over £, i.e., d — 
unif(£’) if and only if S{p) = l£{p)/\£\. Then, for any 
A G Perm(£), UA(unif(f), A) =7 — (l^l -f l)fr/2, i.e., the 
expected utility of the guesser for any strategy that exhausts 
£ is 7 - (|£| + l)cr/2. 

Proof: The secret is a member of S, hence it will be found 
with certainty, yielding the positive gain of 7. Each guess costs 
the guesser a. The number of guesses before (and including) 
the correct one is i with probability \/\£\. Hence the expected 
number of tries is VI'^I = ( 1^1 + l)/ 2 - ■ 

We will investigate the maximin and minimax strategies of 
the picker first. The picker’s maximin strategy is choosing 
a secret from the cheapest partition, i.e., a picking strategy 
8 G A (7^) is maximin if and only if — 1- To see 

this, note that a strategy of the guesser that explores all of the 
possible secrets, i.e., a permutation of the entire V, minimizes 
the utility of the picker irrespective of the choice of her 
strategy. Hence, facing this worst case strategy of the guesser, 
the picker must only select from the cheapest partition. 

A minimax strategy of the picker, on the other hand, is 
uniform randomization over the entire V, due to the following 
two intuitive lemmas: 

Lemma 3: Let £ be a non-empty subset of V. Then, 
for any 8 G A{V) such that supp(^) C £, we have: 
suPaeAM) ua{ 8, a) > sup„gA(yt) WA(unif(£), a). 


Lemma 4: Let £, £' be two non-empty subsets of V 
such that \£\ < \£'\. Then, sup„g^(_ 4 ) UA(unif(£), a) > 
sup „6 A ( A ) UA ( unif (£’'), ol). 

The first lemma simply confirms that uniform distribution 
gives the least amount of useful information to the guesser. The 
second lemma states that uniform randomization over a bigger 
set is guaranteed not to help the guesser. Proof of Lemma 
is in Appendix [I] Lemma follows directly from Lemma [ 

As we can see, in the Costly-Guesses setting, the strategi¬ 
cally pessimistic and the sheer antagonistic plans of action for 
the picker (her maximin and maximin strategies, respectively) 
lead to uninteresting extremes, suggesting that rationality 
consideration of both players have a more decisive role. Next, 
we turn our attention to NE solutions. 


A. Costly-Guesses: Nash Equilibria 

When 7 < tr, the cost of trying even a single guess 
exceeds the gain of finding the secret. Hence, irrespective of 
the strategy of the picker, the guesser never enters the game: 

Proposition 2: In a Costly-Guesses game, if 7 < cr, then in 
all NE (5 *,q;*), we have: <5*(fi) = 1 and Q;*((quit)) = 1, 
i.e., the picker chooses from the cheapest partition and the 
guesser does not make any attempt. 

What happens when 7 > cr? If 7 < (1 -f 
for some M < N, then following Lemma the picker can 
dissuade the guesser from entering the game by uniformly 
randomizing over the first M partitions. When the picker 
assumes a high cost for losing her secret, i.e., for large values 
of A, this seems to be something she will opt for. However, 
our next proposition reveals that, surprisingly, if there is no 
partition that is big enough that uniform randomization over 
it alone, i.e., single-handedly, can dissuade the guesser from 
entering, then in all NE of the game, the picker chooses a 
cheapest secret and loses it with certainty, and remarkably, 
this is true irrespective of the magnitude of A: 

Proposition 3: In a Costly-Guesses game, if 7 > (l-f 
\£i\)a/2 for all i for which Ci < Ci A, then in all NE 
(8*, a*), we have: = 1 and UD{8*,a*) = —Ci — A, 

i.e., the picker chooses only from the cheapest partition and 
the guesser finds it with certainty. 

The detailed proof of the proposition is provided in Ap¬ 
pendix]^ Here we provide an informal summary of the proof 
with the aim of giving an idea why we have this “failure” of 
NE for the picker: in any NE, the mixed strategies of the two 
players must be best responses to each other. Therefore, in a 
NE, the picker only assigns positive probability of selection 
from costlier partitions because of the threat imposed by the 
exploration probabilities of the guesser. Suppose there is a NE 
in which the picker assigns strictly positive probabilities to 
secrets from partitions £i to £m- This means that the guesser 
explores £i to £m with strictly decreasing probabilities. This 
in turn implies that the guesser must find it a best response 
to explore £m-i and not £m among his set of best responses 
that he randomizes over. Note that the picker never assigns a 
strictly higher probability to members from a costlier partition. 
This means that if exploring £m-i and not £m must be a 







best response of the guesser, so must be exploring £i through 
£m-i and not £m- However, this can never be the case: if the 
guesser explores all of the partitions £i to £m-i and fails, 
then given the randomization of the picker, he is now certain 
that the secret is in £m- Given the condition 7 > (£’m + 1)o’/ 2, 
the guesser is strictly better off to continue to explore £m as 
well. Hence, the starting assumption about the NE strategy of 
the picker could not be true. 

The next proposition shows what may happen when the 
condition of Prop, [^is relaxed (proof is in Appendix [K): 

Proposition 4: In a Costly-Guesses game where 7 > u, if 
3M = min{i |7 < {\£i \ + l)cr/2, Ci < Ci + A}, then in all 
NE {5*, a*) we have: < —Cm- 

This proposition does not quite redeem the stark situation 
with NE solutions for the picker. Eor instance, consider a 
case where the picker could prevent the guesser from entering 
the game by randomizing over £i and £ 2 , and the cheapest 
partition that is big enough to single-handedly prevent the 
guesser from entering the game is £3. Then the picker has 
to settle for a cost of C^, which can be much larger than 
any weighted average of Ci and C 2 . Moreover, the propo¬ 
sition only provides a (tight) upper-bound on the expected 
utility of the picker among all NE. That is, —Cm is the 
expected utility of the picker in the best NE for her, and 
worse NE for the picker can still exist. In particular, if 
7 > (|£i| -b l)tr/ 2 , then (^*, 0 ;*) where = unif(£’i) and 
a* = unif (Perm(£i), Perm(U^ 2 ^i)) is also technically a 
NE: given that the picker chooses uniformly from the cheapest 
partition, it is a best response for the guesser to explore 
the whole set of secrets starting from the cheapest partition; 
likewise if the guesser’s strategy is to explore the whole set of 
secrets, then the guesser’s best response is to choose from the 
cheapest partition, since she will lose her secret anyway. This 
NE, as in Prop. yields for the picker the worst possible in 
any NE: her maximin utility, that is —Ci — A. 

What causes the poor performance of the picker in NE is the 
absence of a credible commitment to a deterring randomiza¬ 
tion. Indeed the picker prefers to induce the guesser to abstain, 
however, if the guesser is not going to enter the game, the 
picker prefers to select a least costly secret. The picker can 
remove this possibility from the reasoning of the guesser by 
credibly communicating a commitment to a mixed strategy. 
This is exactly the setup for Strong Stackelberg Equilibria, 
which we analyze next. 


B. Equilibrium Example: Passwords 

Eigure shows the result of equilibrium behavior on the 
loss of the picker in the costly guesses model for password 
selection. Most of the figure is a lower bound on loss as 
per Prop Eor low ratios of 'y/a, the guesser does not 
participate at all and results only in the cost of picking the 
simplest password. Eor large enough ratios, the picker gives 
up, incurring a loss of A and the cost of the simplest password. 
In the mid-range cases, the loss factor A plays no role. 


picker win (Prop. 2) bound (Prop. 4) guesser win (Prop. 3) 



y/o 


Fig. 5. RockYou-based password picker loss in Nash equilibrium or lower 
bound (gray) and in Stackelberg equilibrium (black dotted) as function of 
7 /(T. For all, A = 2. 
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Fig. 6 . Picker loss in the Nash (solid lines) and Stackelberg (dotted lines) 
key picking strategy as a function of 7 /cr, for linear and cubic cost functions 
(lighter line is cubic cost). For all, A = 2. 


C. Equilibrium Example: Cryptographic Keys 

The solid lines in Eigure show picker loss for the key 
selection scenario with costly guesses. The results contain es¬ 
sentially the same features as the password selection example: 
low-enough ratios of 7/(7 results in guesser not participating, 
high enough ratios result in the picker giving up (this is out 
of the frame at picker loss equal to A = 2), and in between 
the picker exhibits an increasing expected loss. 

D. Costly-Guesses: Strong Stackelberg Equilibria 

Here we assume the picker has access to an apparatus that 
enables her to credibly communicate a commitment to a mixed 
strategy to the guesser. We develop the optimal randomizations 
for the picker given the fact that the guesser, observing 
the committed randomization, best-reacts to it. Eormally, we 
derive the SSE strategies of the picker. 

Eirst, note that if 7 < cr, then irrespective of the choice 
of the picker, the guesser will never attempt a guess. Then 
the SSE strategy of the picker for these cases is, trivially, a 
choice from the cheapest partition, yielding the picker a utility 
of —Cl and the guesser, zero. Therefore, in the rest of this 
section, we only consider 7 > cr. We show the following: if 
at all worth protecting the secret, the picker should commit 
to a randomization that makes not entering the game a best 
response for the guesser, i.e., the cheapest randomization 
that leaves the guesser indifferent between entering the game 
and quitting at the beginning. In particular, committing to 
randomizations that leave incentive for the guesser to perform 






even a partial search is never optimal0We specifically develop 
a linear optimization that gives the SSE strategy of the picker. 


Proposition 5: Consider the following linear programming: 


Uo = max 


-Y^CiUi 


subject to : 


Ui>0 iol l<i<N, ^ i/j = 1, > 


K 


K 


i=\ i=l 


|fi| - |£*+i| 

1^*1 (1 - 


for 1 <i< N — 1 


<0 for l<7^<iV 


For {\V\ + l)cr/2 > 7, the LP is feasible. Let (z/J,..., i/’^) 
be a solution. If u*jj > — Ci — A, then a SSE strategy of the 
picker is 5{p) = v*/\£i\ forp G Si. If ujj < —Ci —A, the SSE 
strategy of the picker is to simply choose a secret from the 
cheapest partition (which induces the guesser to enter, explore 
that partition and find the secret with certainty). Same is true 
when {\V\ + l)cr /2 < 7 ]^ 

The proof of the proposition is provided in Appendix|L|Note 
that when (17^1 + 1)17/2 < 7 , following Lemma ^ even 
uniform randomization over the entire set of V does not deter 
the guesser from entering the game and exploring the whole 
secret space, as it yields him a strictly positive utility of 
7 — (|7^| + l)o'/2. Since uniform randomization is a minimax 
strategy of the picker (intuitively, it gives the least useful 
information to the guesser), any other randomization also 
results in a strictly positive utility for full exploration of the 
guesser. This means the best strategy of the picker is then 
choosing from a cheapest partition, since she will lose her 
secret to the guesser anyway. 

When (|7^| + l)cr/2 > 7 , uniform randomization over a 
subset of secrets can lead to a negative expected utility of 
the guesser for entering the game and exploring any portion 
of the secret space. However, our numerical examples of 
the proposition reveal that the cheapest randomization that 
achieves this goal is almost never completely uniform (or even 
necessarily uniform over the union of some cheapest partitions 
except for the costliest of them). 


E. Stackelberg Examples 

The difference between the Nash equilibrium and the 
Stackelberg equilibrium is demonstrated in Figure for the 
password picking example and in Figure|^for the key selection 
example. In both, the picker’s loss in Stackelberg equilibrium 
as a function of 7/17 is denoted by dotted lines. In the case 
of key selection, linear and cubic cost models are shown with 
linear as dark lines and cubic as light lines. The Stackelberg 
strategies can be seen to perform better than the Nash strate¬ 
gies shown as solid lines. 


^This is reminiscent of this pithy quote do) from Zhuge Liang, a recognized 
ancient Chinese military strategist and statesman: ''The wise win before they 
fight, while the ignorant fight to win” 

^One can find uniqueness conditions for the SSE strategy of the picker, 
using standard results in linear programming (e.g. ED). However, the 
uniqueness of the utility of the picker follows from the optimization itself. 
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Fig. 7. The distribution of key sizes in the Stackelberg key picking strategy 
for a variety of 7 /fT values. 


Figure [7] demonstrates the Stackelberg strategy for key 
selection in more detail for three different 7/17 values. The 
selection of key in these solutions is mostly uniform among 
keys up to a certain length except for larger keys whose 
probability sharply falls off The range of key sizes which 
are selected over increases with 7 /( 7 . 

VII. Discussions 

Policy implications of picker’s optimal strategies in 
Capped-Guesses: System administrators usually use password 
selection rules (composition policies) to increase the entropy 
of the passwords selected by users. The choice of an optimal 
rule-set has been a topic of research ifTOl [131 [141 [22ll . Recall 
that an interpretation of the partitions of the secret space 
based on their usability costs was that these partitions can 
be assumed to satisfy increasingly complex password compo¬ 
sition rules. Hence, our Prop. [T] suggests that the search for 
the “optimal” composition rule is amiss. The optimal secret 
picking strategy is a uniform randomization over a “union” 
of these partitions, and hence, no single composition rule is 
optimal. Our result suggests that optimal composition rules 
are generated by randomizing across different rule-set, and 
specifically, each composition rule should be prompted to a 
user with a probability that is proportional to the size of 
password space created by that rule. 

Credible commitment to a randomization Recall that in 
a Capped-Guesses scenario, the SSE, NE and Maximin strate¬ 
gies of the picker turn out to be identical. In particular, there is 
no gain in communicating a commitment to the adversaries. In 
the Costly-Guesses model, however, a credible commitment to 
a randomization makes a substantial difference, and is critical 
to prevent the failure of NE. Hence, in such situations, it is 
not sufficient to have access to a randomization device, but 
further, the randomization should be made public knowledge 
and verifiable to become credible. 

Optimal attacks in Capped-Guesses Our Prop. [T] suggest 
that in a Capped-Guesses attack, e.g. using pre-computed 
tables, even facing a rational defender that plays optimally and 
hence uses uniform randomization, the adversary must choose 
passwords randomly from the whole selection range of the 
user, however, should choose simpler passwords with more 
probability and include more difficult ones with increasingly 
less probabilities. 













Interpretation of mixed strategies The game theoretic so¬ 
lutions that we developed involved randomization. Specifically, 
in mixed NE, each player’s randomization leaves the other 
indifferent across his/her randomization support. Although 
these behaviors can be explicitly associated with deliberate 
randomization or through the use of randomization devices 
(e.g. when a random key generator algorithm is used), these are 
not the only way such equilibria can be interpreted. Without 
going to the details we just mention some of the al¬ 

ternative interpretations equilibrium solution involving mixed 
strategies. Namely, the probabilities can represent (a) time av¬ 
erages of player’s behavior that exploit an “adaptive” process, 
(b) fractions of the total “population” of each player that adopt 
pure strategies, (c) limits of pure strategy Bayesian equilibria 
where each player is slightly uncertain about the payoffs of 
the others, and (d) A “consistent” set of “beliefs” that each 
player has about the other regarding their behavior. 

Other applications: Finally, it is worth mentioning that 
even though we motivated our models based on password 
and cryptographic key selection, the generality of the model 
allows it to be applicable to other contexts as well. As an 
example of a completely different context but with identical 
abstraction, consider a user that aims to send a convoy from 
a source to a destination over a transport network, or transmit 
a packet over a communication network. There are multiple 
paths available and the user’s objective is to use this path 
diversity to minimize the risk of being intercepted on a path by 
an adversary. However, the paths may have different utilities as 
some may provide lower delays and higher quality of service, 
a preference that can be exploited by adversaries as well. 

VIII. Related Work 

User password selection and attacks has been extensively 
studied in the literature E [ini [iMsi Ea, and due to its 
practical significance, continues to be a hot area of research 
0 . These works generally aim at evaluating the efficacy of 
password attacks as well as measuring the strength of different 
password composition rules through statistical metrics. In 
contrast to our work, these papers consider the user or the 
adversaries one at a time, as opposed to considering that both 
parties will adapts to each other’s choice of policies. Analysis 
of such strategic actions and reactions can be done through a 
game theoretic framework, which to our best of knowledge, 
our work is the first in this context. 

Game and decision theory has been applied in other cyber¬ 
security contexts with promising potentials ll24l l25l . The first 
part of our work (Capped-Guesses) is, in its abstract form, 
similar to the security game model analyzed in 1261 . In their 
model, the defender has limited resources to cover a wide 
range of targets, while an adversary chooses a single target 
to attack. If targets are thought of as secrets, the defender 
in their model is akin to the guesser in our work, and their 
adversary is our picker. Therefore, our Capped-Guesses model 
is the “complement” of their model. Specifically, the results 
that they develop for their defender will be translatable to our 
guesser. However, the focus of our paper was on the picker. 


Another line of research from theoretical game theory 
is search theory and search games ca. Existence of user 
preferences over the secrets to pick from is missing from 
such models. However, such preferences are at the heart of 
usability-security trade-off settings investigated in our paper. 

IX. Conclusion 

We developed tractable game-theoretic models that cap¬ 
ture the essence of secret picking vs guessing attacks in 
the presence of preferences over the secret space. We then 
provided a full analysis of our models with the aim of 
investigating fundamental trends and properties in the design 
of secret-picking policies that attain optimal trade-offs between 
usability and security, taking into account the exploitation of 
the knowledge of such trade-offs by an adversary. Notably, 
we computed the secret picking policies that are optimal with 
respect to a range of strategic metrics (Maximin, Minimax, 
Nash Equilibria, Stackelberg Equilibria). 

We distinguished between two classes of guessing attacks: 
those in which the number of available guesses to an adversary 
is capped (Capped-Guesses), and those in which an adversary 
has potentially unlimited number of tries but incurs a cost per 
each guess (Costly-Guesses). Our analysis revealed the crucial 
role that such distinction between the nature of the guessing 
adversary plays on the expected outcome. Specifically, we 
showed that in the Capped-Guesses settings, the NE strategy 
of the secret picker is still uniform but over a low-cost subset 
of the secret space, where the size of the subset depends on 
the parameters of the adversary only through the number of 
available guesses. In contrast, we established that for Costly- 
Guesses scenarios, except for trivial cases, NE fails to attain 
a desirable outcome for the secret picker. For this setting, we 
showed how deterrence of adversaries as her optimal strategy 
crucially depend on existence of a credible commitment to a 
randomization strategy. We illustrated our results through a 
series of numerical examples using real-world data-sets. 

Future Directions: One of the main areas of extending 
this work is dealing with uncertainty in the parameters of the 
players. For instance, the picker may not accurately know the 
type of the guesser or their guessing size cap or their guessing 
costs. One approach to formally take such uncertainties into 
account is a Bayesian game approach, for which, this work 
lays the foundation of. 

Moreover, in this paper, we assumed that once the secret 
is selected, the picker does not get to change it later, either 
as a blind (open-loop) policy or as a reaction to some signal 
generated by the actions of an adversary. Note that if the act of 
changing the secret does not bring any cost to the picker, and 
both parties are aware of secret-changing occasions, then our 
results are still applicable, since in essence, the two players 
play the same game after each reset. However, the previous 
choices of the picker may affect her future utilities, and hence 
the whole game. For instance, the act of changing the secret 
may be costly for the picker, or changing the secret only 
slightly may be associated with less cost than changing it 
drastically. In such scenarios, a rational adversary can exploit 


such preferences and carry some useful information from each 
round of the game to boost his overall attack. Investigation 
of such scenarios using dynamic game theory is a potential 
extension of our work. 

Another interesting scenario to investigate is when the 
picker is choosing multiple secrets, where there is a increasing 
loss for the number of secrets guessed correctly by an adver¬ 
sary. The two extremes are (1) when the guesser wins if any 
of the secrets are discovered, and (2) when the guesser wins 
only if all of the secrets are discovered. 
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Appendix A 

Proof of Proposition[TJ NE in Capped-Guesses 

Proof: First, consider the “ordinary” cases. We provide 
the proof in two steps: 

First step: We show that the proposed mixed strategies 
do indeed correspond to legitimate probability distributions 
over pure strategy spaces. For <5* = umf(U^ 2 '^i)’ 
trivially true. For a*, recalling Q:*(^)1 a(p) = P*{p), 

consistency of the conditions in Q with legitimate probability 
distributions translates to establishing two facts: (a) p* {p) > 0 
for all p G V, and (b) P* (p) — next. 

(a) Showing p*(p) > 0 for all p G P: For p G 8i where 
i > J, p*{p) = 0. For p G £i where i < J, suppose there 
exists a p G £i where 1 < I < J, such that the expression in 
( |5^ is strictly negative: 

* : : ^ K C'j \^]\- Cj I 

=- - - J - - -< 0 

AEti If. I 

Since Ci < Cj, this in turn implies: \K + < 

C'. 7 Ej=i Iff I’ which is in contradiction with the specification 
of J as max j/, where J is defined in The claim hence 
follows. 

(b) Showing J2pev P*iP) — Directly from 0 , we have: 

Y^p*ip)=K^\^+j2\£^\B.=K + j2\£^\B, 

p^V i=l ^j=l i=l i=l 

In the following, we show that E/=i — 0- 


The above in fact enables an interesting observation: Since 
E/=i = 0 ’ '^he value of Bi must be positive for some 

instances of i, and must be negative for others. From Q, recall 
that Bi represents the “bias” of the guesser in exploring the 
Fth partition, away from the uniform selection of the picker. 
Hence, the guesser explores the partition £i that has positive 
(resp., negative) Bi with higher (resp., lower) probability than 
uniform random selection. Referring to the expression of Bi, 
we have sgn(B,) = sgn (E/=i C'j |f. I/E/=i 1 ^. 1 ) “ . 

Hence, Bi is positive (resp., negative), if among the partitions 
that the picker randomizes over, the cost of choosing a secret 
from £i is less than (resp., more than) the overall average 
cost of choosing a secret. In words, in the NE described by 
the proposition, the guesser explores the relatively favored 
partitions of the picker with a positive bias compared to the 
relatively less favored partitions. Note, particularly, that this 
biased exploration is not because the guesser believes that 
there is a higher chance of having a correct guess from those 
partitions: he searches them more despite knowing that the 
secret is equally likely to be from any of the partitions £i to 
£j. The rationale of this strategy becomes clear in the next 
step of the proof. 

Second Step: The “Nash” property: given the strategy of 
the picker, the guesser plays his best response, and vice versa. 

(a) That the guesser’s strategy is a best response to the 

picker’s is simple to establish: When the guesser adopts 5* = 
unif(uE]^i£’i), the secret is not from the set uEj+i'S’i- Hence, 
given the fact that for “ordinary” cases K < ULi \^iV the 
guesser should not “waste” any of his guesses by choosing 
from ufL hence the property in ( |5b| ). Moreover, given 

S*, the secret is equally likely to be any of the members of 
the set \Ji^i£i. Hence any distribution of choosing K guesses 
over \Ji^i£i is a best response, including the ones that satisfy 
the proposed property in ( |5al i. 

(b) Similarly, we show that the picker’s strategy is a best 

response to that of the guesser’s. Eirst of all, note that the 
secrets from the same partition has the same probability of 
being on the guess dictionary of the guesser, and they also 
all share the same choosing cost. Hence, any redistribution 
of the picker’s probability within the same partition is a best 
response, including a uniform one. Next, we show that the 
guesser’s strategy makes the picker indifferent in choosing of 
her secret from any of the sets £i to £j\ Indeed, the description 
of p* in ( [Sai l is by construction such that the utility of the 
picker for choosing her secret from set £i, for any i < J, is 
equal to \ + ^^)/{ J2j=i \^j\) (which is in 

fact equal to ud{S*, ot*)). To see this, first note that, given 
a*, the utility of the picker for choosing secret p G £i for 
7 S {1,..., J} is: —Ci — Xp*{p). Now, enforcing: 


Y,\W = Y.\£^ 




^7=1 Cj I Ci Ej=i |Cj I 
AE/=i|C.I 

Ei=i IC.I e;=i c,\£A-J:Li\£^\c.J:U I^^-I 

aeL Ic.I 


i=l 


= 0 


-C,-Xp*{p) 


Ej^iC.IC.I+ATT 

E/=ilc.l 


after simplification, yields exactly the description of p* in ( |5al l. 
Now consider any deviation from S* = unif(uE]^5i) and call 











it S'. We have: 


ud[S ,ol ) = - , 6 


E=il^l 
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- Y. as'(£,) ( 11 ) 

i—J+l 


On the other hand, we have: U£){S* ,a*) = 

-{J2j=iCj\£j\ + >^K)/{T.Ui\^ 3 \)- Following the 

definition of J as maxj', where ££ is given in Q, we 
have: -(E/=i + Aif)/(E/=i 1 ^. 1 ) > -C^ for 

i = J + 1, and hence, for all i > J + 1 (since Qs are 
strictly increasing). Referring to ( |TT] i, this establishes that 
U£){S',a*) < ud{S*,Q.*), which is the Nash property for 
the picker. 

Now we turn our attention to the “total defeat” cases. Note 
that p* [p) = 1 for all p G £i. Hence, given the strategy of the 
picker, the guesser’s strategy is a best response. On the other 
hand, given the strategy of the guesser, the picker does not 
have an incentive to deviate from her strategy either: Consider 
a deviation S' . Then ud{S' , ot*) < —{Ci + A) = ujj{S* , a*), 
hence, there is no benefit for the picker to unilaterally deviate 
either. All that remains to show is the feasibility of the 
guesser’s strategy. Note that: £ [f ~ ~ C'l)/^] = 

Eti %\+Ci Eti l^*l/A-Eti’S|f*|/A < K. The latter 
follows from the fact that for “total defeat” cases, we have: 
Cl + A < (AiT + Eti C^£A)/[Y.Li m- ■ 


Appendix B 

Proof of Lemma[TJ Picker’s NE-Maximin 
Equivaeence in Capped-Guesses 

Proof: The proof is immediate once we note from (|^ 
that for any S e A(7^), a* e arg max^gAtA) ck) if 
and only if: a* S argminQ,g^(^) U£)(<5, a). This is because: 
UD{S,a.) = -{X/^)uA{S,a) + ^{S), where -(A/ 7 ) < 0 
and 4){S) is an expression that does not depend on a. 

Eor any S, recall the notations of ud{S) := 
niin„gA(A) a), and := maxggAlP) upjS). 

Then, following the definition, S* G f^Maximin i^ 
only if up(S*) = Suppose (^*, 0 :*) is a NE. 

Eollowing the discussion above, in the Capped-Guesses 
game we have: up(S*,a*) = up(S*). By definition, 

(A) : up’^^^ = maxggAf-p) up{S) > vjj{S*). On the 
other hand, since S* is a best response to a*, as required 
in a NE, we have: up{S*, a*) > up{S,oi*) > up{S) 
for any S G A (7^), where the latter inequality 
follows from the definition of up{S). Hence, 

(B) : up{S*,a*) > maxggACP) up{S) = 

Putting inequalities (A) and (B) together, we obtain 
upiS*,a*) = that is, e HD,^ 

Now, consider the other direction: Suppose S' G 
Then there exists an a' G A(Al) such that up{S',a') = 
up'^^^ and up{S',ot') = up{S'). The latter in our game 
implies that ua{S' .cx') > UA{S',a) for any a G A(Al), 
hence a' is a best response to S'. Also, the former implies 


that up(S',a') > up(S) > up{S,a') for any S G A(Al), 
hence S' is a best response to a' too. Therefore, {S', a') is a 
NE and S' G ■ 


Appendix C 

Proof of Corollary[T1 Capped-Guesses NE 
Interchangeability I 

Proof: Since (<5 *i,q;*i) is a NE, we have: 

up{S*i,a*i) > up{S',a*i) for all S' G A('P), which 
in part implies: up{S*i, cy.*i) > up{S*2,<x*i), and also: 
ua{S*ItOl* i) > ua{S* i^a') for all a' G A(Al). As in the 
proof of Lemma [T] referring to (|^, the latter is equivalent 
to: up(S* 1, a*i) < up(S* 1, ex') for all cx' G A(Al), in 
particular: up(S*i, cx*i) < up(S*i, cx*2). Similarly, since 
{S*2,cx*2) is a NE, we have: up{S*2,cx*2) > up{S',cx*2) 
for all S' G A('P). Moreover: ua(S*2, cx*2) > ua(S*2, ex') 
for all ex' G A(Al), which equivalently means: 

up{S*2,cx*2) < up{S*2,(x') for all ex' G A(Al), in 

particular: up{S*2,cx*2) < up{S*2,cx*i)- Putting the in¬ 
equalities together, we get: up{S*i,ex*2) > up{S* i, ex*i) > 
Q!*i) ^ up{S* 2-i<x* 2) > up{S' ,cx*2) for all 
S' G A(7^). In short, up{S*i,cx*2) > up{S',ex*2) for all 
S' G A(7^), or 5*1 is a picker’s best response to ex* 2 . 

Similarly, we show that a *2 is a guesser’s best re¬ 
sponse to 5 * 1 , i.e., UA(S*i,ex* 2 ) > UA(S*i,ex') for all 
ex' G A(AI). Again, referring to this is equivalent 
to showing: up(S*i, ex* 2 ) < up(S*i,ck') for all cx' G 
A(Al). Since 5*2 is a best response to ex* 2 , we have: 
up{S*i,ex* 2 ) < up{S* 2 ,cx* 2 ). Also, since ex *2 is a best 
response to 5 * 2 , we have: ua{S* 2 ,cx* 2 ) > wa( 5 * 2 , Q:*i), or 
equivalently, up{S* 2 ,(x* 2 ) < up{S* 2 ,cx*i). We also have: 
ud{S*2, Q:*i) < 'I'-d( 5 *i, q:*i) because 5*i is a best response 
to ex*i. Einally, we have Uyi(5*i,a*i) > M^(5*i,a') for all 
ex' G A(AI), or equivalently, up(S*i, ex*i) < up(S* i, ex') for 
all ex' G A(AI), since q:*i is a best response to 5*i. Putting 
all of these inequalities together, we have: up(S*i,ex * 2 ) < 
'Ud(S* 2, CX*2) < Up(S*2, CX*i) < Up(S*i,CX*i) < 

up(S*i, ex') for all cx' G A(Al). In short, up(S*i, cx* 2 ) < 
up(S* i, ex') or equivalently, ua(S*i, cx* 2 ) > ua(S* 1 , ex') 
for all ex' G A(Al). Therefore, putting the two observations 
together, ( 5 *i,q;* 2 ) is a NE. Establishing ( 5 * 2 ,Q:*i) is a NE 
follows similar steps. ■ 


Appendix D 

Proof of Corollary|2J Capped-Guesses NE 
Interchangeability II 

Proof: Proof by contradiction: Suppose not, and there 
exist two NE (5*i, q:*i) and (5*2, ex* 2 ) that yield the picker 
two different expected utilities upi and Up 2 . Without loss of 
generality, assume upi < up 2 . Similar to the arguments in the 
proof of Lemma [T] from (|^ and the NE property for a*i, we 
have: U£)(5*i,a*i) = u_d(5*i). Similarly, up{S* 2 ,(x* 2 ) = 
ud{S* 2 )- Erom Lemma~[^ both 5*i and 5*2 are Maximin 
strategies of the picker as well. Hence, in particular, we must 
have: up{S*i) = max^gACP) up{S) = However, this 

cannot be, because up{S*i) = upi < up2 = up{S*2). ■ 



Appendix E 

Proof of Coroflary[3J Picker’s SSE-NE 
Equivaeence in Capped-Guesses 


Appendix H 

Derivation of the Strategy Space of the Guesser 
IN Costly-Guesses Games 


Proof: Let be a SSE in a Capped-Guesses 

game in which the picker has the mixed strategy commitment 
power. Referring to (|^, as in the proof of Lemma [T] we have; 

S arg maxQ,gA(A) ua{S, a) if and only if S 

argmin„gA(A) Hence, ud((5, = upjd). 

These imply that: min„g^(_ 4 ) a) = UD{S,a^^{6)) = 
max5gA(p)“D(^,a®^(^)) = maxggAf-p) upjd) = up'^^^. 
Therefore, by dehnition, S G and hence, C 

^^Maximin- Following Lemma El we thus also have Hggg C 
^NE- For the other direction, let S G Dehne 

q,br . A(7^) -g A(,A) such that for a given J G A(V), 

G argminQ,gA(A) Q;)- In our game, the latter 

implies G arg maxQ,gA(A) ua(^, ot), hence satisfying 

one of the conditions of . This also implies that no matter 
how the follower breaks ties among his best responses, the util¬ 
ity of the leader is the same, since the best response of the fol¬ 
lower has to be a worst response for the leader. Einally, since 
5 is a Maximin strategy, we have; 5 G argmax 5 gA(P) up{6), 
where we showed a®^(<5)) = up{6). Hence, § G 

argma.xs^A('P)Up{S,a^^{S)). These lead to the fact that 
(^, is a SSE of the game. Therefore, C OggE. 

Again, from Lemma this also shows C Oggg, 

completing the proof. ■ 


Appendix E 

Proof of CorollaryIU No Commitment Value in 
Capped-Guesses 

Proof: The proof is straightforward following similar 
arguments in the proof of Corollary in our game, we have 
that for any S G A, any G argmaxuA(^, o;^^(S)) 

also satisfies U£)(^, a®^(<5)) = min„gA(A) up(S,a.). Hence, 
for any SSE strategy we have; = 

max^CP) y^{6) = ■ 


Appendix G 
Proof of Corollary[6 ] 

Proof: Eirst, note that from Lemma [T] the picker’s NE 
strategy as given by Proposition [T| is also a Minimax strategy, 
yielding up'^^^ = {Ya=i Ci\Si\ + l^il) for “or¬ 

dinary” cases. We show that any deviation from d*, denote it 
by S' will not be a Maximin strategy, and hence, cannot be a 
NE strategy of the picker. As in the proof of Proposition 


we have: up{S',a.*) = — 




^peu■U£^ “ 


N 


E/=ilGI 

Ci ^ (p)' Following the dehnition of J in Q, 


and for non-degenerate cases, we thus have; up{d',a*) < 
up{S*,a*) — Hence, 6' cannot be a Maximin 

strategy of the picker, and thus, following Lemma [T] neither is 
it a NE strategy of hers. This establishes the necessity of the 
conditions in Proposition for the NE strategy of the picker. 


A game of Costly-Guesses is in essence a sequential game. 
The picker makes the hrst move as her only turn, which is a 
choice of her secret from V. The next moves are only made 
by the guesser. The set of available actions to the guesser at 
any step is a guess of the secret, plus the option to quit the 
search. The most natural way of modeling sequential games 
is the extensive form representation, i.e., with a game tree. A 
history of the game is hence a sequence composed of the secret 
chosen by the picker, along with the sequence of the attempts 
of the guesser, as long as the guesser has not quited or has not 
made a correct guess. The game is hnite, since, even if the 
guesser never quits, the secret is bound to be found in hnite 
number of steps. 

The guesser of course does not observe the action of the 
picker at the hrst step, hence, we are dealing with an extensive 
game with imperfect information ESl Chapters 11, 12]. Note, 
however, that our game is one with complete information, 
since both players are assumed to know about the utilities and 
choices of each other. The ambiguity of the guesser at different 
steps can be captured by his information sets. The information 
set of a player whose turn is up is a set of past histories that 
he is ambiguous about having happened. We assume perfect 
recall, which in our game means the guesser remembers all of 
his past guesses. Then, based on his past guesses, the guesser 
cannot refute histories in which the secret of the picker is 
anything other than the guesses so far (without making any 
inferences on the choice of the picker). This is because all 
that a failed guess reveals is that the secret is not that guess, 
hence the picker’s secret can be anywhere in the unexplored 
region. 

Without commitment, a pure strategy of the picker is just her 
pure action: d G V. A pure strategy of the guesser, is a function 
that assigns admissible actions to each of his information 
sets. In our game, the information sets of the guesser can 
be fully determined by his past actions. This is because the 
picker makes a move only once that is at the beginning, and 
that is unobserved by the guesser. Note that the sequence of 
past actions of the guesser cannot include “quitting” since 
the search had stopped at that point (the game had reached 
a terminal node). Also, we can safely ignore strategies that 
involve trying a guess more than once, since they are strictly 
dominated by removing those multiple tries of the same 
guess. Moreover, in any extensive form game, a strategy of 
a player need not determine actions for information sets that 
are not reachable given a player’s own earlier actions in that 
strategy, since such assignments are irrelevant. Specifically, 
irrespective of the strategy of other players, such information 
sets are never reached and that plan of action is never called 
upon. Therefore, all strategies that assign arbitrary actions to 
such information sets can be lumped together and represented 
by one equivalent strategy, as they all represent the same 
meaningful plan of action. These are sometimes referred to as 



reduced pure strategies. In our game, in particular, a guesser’s 
strategy that tries pi as a first guess does not need to specify 
an action for the information set corresponding to a failed 
try of p 2 as the first guess. Hence, a pure strategy of the 
guesser can be represented as a sequence of unique secrets 
from V. Specifically, a pure strategy A — {ai,... ,ar) is 
equivalent to: 02 , • ■ •, 

aT,/(ai....,a^) quit), where represents the 

information set corresponding to the following partition of 
game history: {{d,ai,... ,at)\d G V \ {oi,..., Ot}}. Note 
the difference between a strategy profile, and an outcome of 
the game: a strategy profile must provide a plan of action (a 
prescription) if any information set is reached, even if those 
information sets are never in fact reached given the strategy 
of the others. For instance, if the picker chooses pi, and the 
guesser tries pi as his first attempt, the strategy of the guesser 
still needs to specify what he would have picked if his first 
try would have failed. 

Appendix I 

Proof of Lemma[3 Uniform Makes the Worst Case 
FOR THE Guesser in Costly-Guesses 

Proof: We start by establishing a basic lemma. The lemma 
sheds light on the nature of a best response of the guesser, 
given a mixed strategy of the picker. Specifically, it provides 
three ways of improving (though not necessarily strictly) a 
given (pure) strategy of the guesser. 

Lemma 5: In a Costly-Guesses game, consider a picker’s 
mixed strategy 5 G A7^, and a guesser’s pure strategy 
A = (ai,..., ot), where T > 1. Then each of the following 
procedures improves A for the guesser: 

(a) Re-ordering: If ai,aj G A where i < j, and d{a j) > 
S(ai), then ua{S,A') >UA{d, A), where A' is the pure 
strategy that is derived from swapping the positions of 
and Oj in A and keeping everything else the same. The 
inequality is strict if and only if 5 [a 3 ) > S(ai). In words, 
it is always better for the guesser to try a position that 
has received a higher probability by the picker before a 
secret that has received a lower probability. 

(b) Replacement: If ai G A and Oj ^ A, and S{a 3 ) > 

then ua{S, A') > ua{S, A), where A' is the pure strategy 
that is derived from replacing with Oj in A and keeping 
everything else the same. The inequality is strict if and 
only if 5{aj) > 5{ai). 

(c) Padding: For a given 5, if ua{S,A) > ua{8,A') where 
A coincides with A' by removing at from it, and 5{at >) = 
S(at), then ua{S,A”) > UA{d,A'), where A” coincides 
with A by removing {at', at) from it. The inequality is 
strict if 6{at) > 0. In words, if it is beneficial for the 
guesser to start exploring a batch of secrets with the 
same probability of selection by the picker, then it is even 
better to explore a step further through that batch (and by 
repeating the argument, continue through to explore all 
of that batch). 

Proof: Each of the above follows directly from the 
expression of the expected utility of the guesser as expressed 


in Specifically, for part (a), we have: 

ua{S,A') - UA{d,A) = {j - i){S{aj) - S{a^))a 
For part (b) we have: 


ua{S,A') - ua{S,A) = 

(S(aj) -S(a,))j- 


(lAl-i) {S{aj) - d{a^))a 


Finally, for part (c), consider A = (oi,..., Oi, a^+i,..., ot), 
A' = {ai,...,ai,at,a^+i,...,aT), and A" = 

(tti,..., Oi, at', Ot, Oi-i-i,..., Or). Simplification of 

ua{S,A') > ua{S,A) leads to 'yS{at) — 

a {i-T)S{at)+ 1-J2]=i^iaj) 

S{at') = d{at), this 


can 


> 

also be 


0. Since 
written as: 


7^(at') - cr (i-T)S{at') + l-'Z)j^;^S{aj) > 0. 

Because aS{at) > 0, we have: 'yS(at') — 

a {i- T)S{at') -I- 1 - “ ^i^t) > 0 (strictly if 

d{at) > 0). This is equivalent to UA{d,A") > ua{S,A'). ■ 

Now, going back to the proof of Lemma first note that 
max„gA(A) ck) > 0, since A = (quit) yields a 
utility of zero for the guesser. Following part (c) of Lemma 
and Lemma we have: maxQ,gA(A) ■*^A(tiiiif(£), a) = 
max{0,7 — <j{\£\ + l)/2}. Without loss of generality 
(through relabeling), let 5 be sorted in descending or¬ 
der, breaking ties arbitrarily. Then, in the light of parts 
(a) and (b) of Lemma all we are left to show is 
max'rg{i_,..j£|} UA{d, (oi,..., ar)) > 7 - + l)/2- Let 

supp(^) be the support of d, i.e., the set of p for which 
5{p) > 0, and denote M := |supp((5)|. We show that 
UA{d, (ai,..., om)) > 7 — cr(l^l + l)/2- Lrom the general 
expression of ua in (|^, and the fact that = 1’ 

we get: ua{S, {ai,... ,aT)) = 7 - o'Because 
^(om) < ^(oi) for alH = 1,..., M, we have: A 

= 6{aM)iM + l)M/2 < {M + l)/2. The 
latter is true because ^(om) < ^/M, since otherwise, 

> -Mom > 1- Therefore, u a{S, {ai, ... ,aT)) > 
7 — a{M -I- l)/2 < 7 — cr(|£’| -I- l)/2, since, obviously, for 
any 6 G A(£), we have M < l^j. This completes the proof 
of Lemma [3 ■ 


Appendix J 

Proof of Proposition[3 NE in Costly-Guesses (I) 

Proof: We prove the proposition using induction on the 
number of partitions, N. Lor N = 1, i.e., when V = £ 1 , 
the first part of the claim is trivially true: = 1. The 

second part of the claim, i.e., unid*,ot*) = —Ci — A is a 
consequence of the following lemma: 

Lemma 6: Consider a d G A(7^), and let £ = supp(^). 
If 7 > (|f I -I- 1)(t/ 2, then any best response of the guesser 
exhaustively explores the set, i.e., argmax, 4 g^( 5 ) UA{d,A) C 
Perm(£). 

In words, if uniform randomization of the picker over a set 
does not dissuade the guesser from entering the game, then 
all best responses of the guesser to any randomization of the 
picker lead to exhaustively exploring the set. That is, it is never 








optimal for the guesser to either abstain, or to explore just a 
portion of the set with any non-zero probability. 

Proof: We establish this lemma through an induction on 
\8\. For \8\ = 1, 8 = {p}, the condition of the lemma 
reduces to 7 > cr, and hence the claim trivially follows since 
ua{p, {p)) = 7 — cr > 0 = ua{p, (quit)). Now, suppose 
the lemma holds for \8\ = 1,..., M — 1. We show that it 
is also true for \8\ = M. First, following Lemma we 
have: max„gA(^) ua{6,ol) > max„gA(>t) ^^(umfjS), a) > 
UA{nmi{8), A G Perm(£)) = 7 — (|£| -f l)cr/2 > 0. 
This implies that max„g^(_ 4 ) a) > ua{S, {quit)). 

Hence, for all A! G aigmaxA^AUA{S, A), we must have 
\A'\ > 1. Consider an A' G aigmaxA^A^AiS, A). Because 
l^'j > 1, 38' C 8 such that 8' f % and A' G Perm(£'). 
If 8' = 8, the induction step is proved. Suppose it was 
not the case, and \8'\ — m, where 1 < m < AI — \8\. 
Consider the set 8” := 8 \ 8' and the following picking 
distribution over it: d{p) — S(j))/ (1 — S{8')) for all p G 8" 
and S{p) = 0 for all p ^ 8". Note that supp(^) = 8", and 
hence |supp(^)| = \8\ — \8'\ = M — m < M = l^j. By the 
condition of the lemma in the induction step, 7 > (|£| + l)cr/ 2 , 
hence, we also have 7 > (If"! + l)cr/2. Therefore, by the 
induction hypothesis, any (pure) best response of the guesser 
to ^ is a permutation of 8". Let A' G argmax^g^ ua{^, A). 
Now, consider the composite pure strategy of the guesser 
{A , A"). Using conditional expectation - conditioning on the 
event that all of the guesses in the sequence of A fail - or 
by direct manipulation of the expressions in (|^ or ( [TOl l, we 
have: 

ua{6, {A, A")) = UA{d, A') + (1 - A") (12) 

Since, in particular, (quit) ^ argmax^g^ Uyi(^, A), we 
have: ua{S,A") > (quit)) = 0. Also, (1 — ^(£^')) > 
0, because supp(^) = 8 and \ 8 '\ < \ 8 \. Hence, ( [T^ implies 
ua{S,{A^A")) > ua{S,A), which contradicts A being a 
best response to S. This completes the proof the induction 
step, and hence, the lemma. ■ 

Resuming our proof of Proposition]^ by induction, suppose 
the proposition holds for any number of partitions N = 
I,..., M—1. We show that it also holds for N — M. Consider 
a NE (<5*, a*). If there is a partition from 81 to 8 m that the 
picker does not assign any positive probability to any of its 
members, i.e., 38i such that S*{ 8 i) = 0, then that partition 
can be ignored, and the proposition follows from the induction 
hypothesis. Therefore, we only need to consider the cases in 
which S*{ 8 i) > 0 for all i = 1,..., M. This implies that for 
each i = 1,..., M, 3pi G 8 i such that S*{pi) > 0. Since S* is 
a best response to a*, we have: uo{Pi,OL*) is the same for all 
i = 1,... ,M. Note that UD{Pi,oc*) = —Ci — \4>*{pi), where 
(l>*{Pi) = Y.A^A'^A{Pi)oL*{A), is the aggregate probability 
that Pi is found if the picker chooses pi as her pure strategy 
and the guesser chooses the mixed response of a*. Firstly, 
we deduce that for this case to happen Cm has to be less 
than Cl + A, since otherwise, ud{pitOl*) = ud{pm,ol*) 
would imply 4>*{pm) < 0, which is impossible. Hence, by 


the condition of the proposition in the induction step, we must 
have: 7 > {\8m\ + l)o'/2. 

Since Cfs are strictly increasing in i, the fact that 
uoiPi, CK*) is the same for all i means that (f* (pi)’s are strictly 
decreasing in i. Specifically, consider i,j where 1 < i < M—1 
and i < j < M. From UD{Pi,oA) = UD{Pj,OL*), we get 
(f>*{Pi) - (f>*{P 3 ) = [Cj - Ci)/\ > 0, i.e., E^g^[lA(Fi) - 
'^A{Pj)]o>.* {A) > 0. Therefore, 3A G supp(a*) such that 
Pi G A but pj ^ A'. Following part (b) of Lemma this in 
turn implies that 6*{pi) > S*{pj) (namely, because otherwise, 
A is strictly dominated by a strategy that is achieved by 
replacing pi with pj in it, and hence, cannot receive a strictly 
positive probability in the best response of the guesser). 
Since the choice of i,j, as long asl<i<M— 1 and 
i < j < M, was arbitrary, we have: S*{pi) is non-increasing 
over i = 1,., M. 

Let p) be an arbitrary member of 8i other than pi (if exists), 
where i G M—1}. Suppose S*{p)) = 0. Then we must 

have 4>*{p'i) ^ 4>*{pm), since there is no A G supp(Q:*) 
for which p) G A but pm ^ A. This is because, again 
according to part (b) of Lemma any such strategy can be 
strictly improved by replacing pM with p[ in it, and hence, 
is strictly dominated for the guesser. On the other hand, since 
we have: unipfoi*) = —Ci — 4>*{Pi) and ud{pm,ol*) = 
-Cm - (I>*{pm), the inequality of cf>*{p'^ < (I)*{pm) along 
with Ci < Cm lead to: unipfct*) > ud{pmtOl*). This, 
however, violates 8*{pm) > 0, because p) strictly dominates 
Pm for the picker. This means S* {p)) > 0. Therefore, we must 
in particular have: unipfS*) = uoiPiA*)^ which yields: 
4>*{p'i) = (p*{pi). This means that for all A G supp(Q:*), we 
have: pi G A only if p' G A as well. 

Recall that, from cj}*{pM-i) > 4>*{pm), we have: 3A G 
supp(q;*) such that pm-i € A and pm ^ A. We showed 
that for any i G {1,... ,M — 2}, d*{pi) > S*{pm-i). Now, 
if S*{pi) > 5*{pm-i), then as a consequence of part (b) 
of Lemma we must have pi G A as well. Likewise, if 
8*{pi) = S*{pm-i), then due to part (c) of Lemma|^and the 
fact that S*{pm-i) > 0, we must have pi G A too. Therefore, 
we have pi G A for all i G {1,..., M — 1}. Moreover, we 
showed that for any i < M—1, pi is on a best response strategy 
of the guesser only if any other member of 8i (if exists) is 
also on that strategy. Putting things together, we reach the 
conclusion that any p G ^ * 1 °^ pm)- 

Now, consider the following mixed strategy of the picker: 

^(P) = _ i ^£m{p)- Note that supp(^) C 8m, 

and hence |supp(^)| < \8m\- Given the condition of the 
proposition applied to the induction step, and the fact that 
we ruled out the possibility of Cm > Gi -f A for this case, we 
have 7 > (|supp(^)| + l)cr/2. Moreov^ since 6*{pm) > 0, 
supp(^) f 0. Hence, following Lemma^that we just proved, 
any best response of the guesser to 8 exhausts supp(^). In 
particular, for any A G argmax^g^^^^pp^j^^ ma(^, A), we 
have ua{8,A) > (quit)) = 0. Now, consider the 

following composite strategy of the guesser: (A, A). Following 



a similar argument as in the proof of Lemma using either 
conditional expectation or a direct reorganization of (|^ or 
we have: 

UAiS*, (i, i)) = ua(< 5*, i) + (1 - <5* UAil i) 

Since the second term of the above equation is strictly pos¬ 
itive, we have: ua{S*,{A,A)) > ua{^*,A). This, however, 
violates the NE requirement that a* is a best response to 6*. 
This completes the proof of the proposition. ■ 

Appendix K 

Proof of Proposition]^ NE in Costly-Guesses (II) 

Proof: As we show, this proposition can be seen as a 
corollary of Proposition]^ If M = 1, the proposition trivially 
holds. Eor M > 1, suppose the claim is not true, and there 
exists a NE {6*, a*) in which UD{d*,a*) > —Cm. Then we 
must have 8*{p) = 0 for all p G £i where i > M. This is 
because for any such p, uo{p, cx*) < —Cm, which is strictly 
less than uoi^*,ck*). This means that supp(5*) C 
Eollowing the condition of the proposition, we also have 
7 > {\£i\ -I- l)cr/2 for all* = 1,..., (M — 1). Then following 
Proposition ]^ any NE leads to the picker choosing only 
from £i and the guesser exhausting £i. This means that 
UDiS*,a*) = —Cl — A, which implies un{8*,a*) < —Cm, 
a contradiction. ■ 

Appendix L 

Proof of Proposition]?! Picker’s SSE in 
Costly-Guesses 

Proof: We consider a general mixed strategy of the picker 
5 and investigate its properties to be a best strategy to commit 
to. Eirst, the picker must not assign higher probabilities to 
costlier options. Namely, if p G £i and p' G £j where j > 
i (so that Ci = c{p) < c{p') = Cj) then we must have: 
8{p) > 8{p'). To see this, suppose there exist p, p' G V such 
that c(p) < c{p') and S{p) < S{p'). According to Lemma ]^ 
part (b), since S{p) < S{p'), there is no best response of 
the guesser in which p is explored and not p', because any 
such strategy can be strictly improved upon for the guesser 
by replacing p with p' in it. Therefore, there are only three 
possibilities with respect to the outcome of the game regarding 
these two secrets: (1) either neither one of them are explored 
by the guesser; (2) both of them are explored; or (3) only 
p' is explored. In all three of these contingencies, the picker 
could have saved at least (c(p') — c{p)){S{p') — S{p)) > 0 by 
switching the probabilities. 

Next, we assemble necessary conditions for a best response 
of the guesser to any 5 of the picker. This helps us to 
restrict the space of best responses and accordingly, derive a 
tractable formulation for the utilities of the players. According 
to Lemma ]^ in any guesser’s (pure) best response: (a) secrets 
are not to be explored out of order of their probabilities {d 
values), (b) a secret is not to be explored unless all secrets 
with strictly higher probabilities are to be explored earlier, 
(c) a secret is not to be explored unless all secrets with 
the same probability are to be explored just before or just 


after that; and finally (d) the order of exploration among 
secrets with the same probability is immaterial to the guesser. 
Given S, let Ci{S),..., CM(S)i8) partition V in decreasing 
order of their picker-assigned probabilities, i.e., let all the 
secrets with the highest S{p) constitute Ci, all the secrets 
with the second highest S{p) constitute £ 2 , and so on, to 
Cm- In the light of our discussion, any (pure) best response 
of the guesser to <5, is either (quit) or has to be from the 
set Al*(^) := {{Ai,...,Ak)\K G {1,..., M(<5)}, A, e 
Perm(£i(^)) for all i = In words, any best 

response of the guesser to a given picking randomization is 
either not attempting at all, or planning to exhaustively explore 
the secrets with probabilities above a corresponding threshold, 
before quitting. A best response of the guesser to a given 5 is 
then selected among the above set that yields him the highest 
expected utility. Note that the number of partitions M as well 
as the partitions themselves depend on <5, but we may drop 
the explicit dependence whenever not ambiguous for brevity. 

The following lemma characterizes a key property of a SSE 
strategy profile: 

Lemma 7: Let be a SSE strategy profile of 

the Costly-Guesses game. Then: (A) = (quit) with 

probability one; or (B) ud(< 5*, a®^(<5*)) = —Ci — A. 

That is, any SSE strategy of the picker either leads to the 
choice of a cheapest secret and certain revelation of it, or 
should be a randomization that dissuades the guesser from 
exploring at all. In other words, if at all it is worth randomizing 
to protect a secret from a guesser with costly guesses, then it 
should be done such that the guesser is completely deterred 
from entering the game. The proof of the lemma follows: 

Proof: Let the partitions Ci{S*),..., Cm(^s’){8*) and 
the corresponding guesser’s best response superset A*(<5*) 
be as we described earlier. Given the first property of any 
SSE strategy of the picker, the choosing cost of the secrets 
must be non-decreasing across these partitions, i.e., if p G Ci 
and p' G Cj for i < j, since by the definition of partitions 
d*{p) > S*{p'), we must have: c(p) < c{p'). Hence, in 
particular, Vp G C\, c{p) > Ci. We establish the (disjunctive) 
statement of the lemma as follows: we show that if (B) does 
not hold, then (A) has to hold (a.k.a. proof by disjunctive 
syllogism). 

Consider the cases where (B) does not hold. Since —Ci — A 
is the Maximin utility of the picker (by simply choosing from 
the cheapest partition), violation of (B) means: 

UD{S*,a^^iS*)) >-Cl-X. (13) 

Let A be a best response of the guesser to 5*. As we 
argued before, either A = (quit) or A G A*(^*), i.e., 
A = (Ai,..., Ak) for a K G 1,... M, where Ai G Perm(£i) 
for all i = 1... iT. If in all best responses of the guesser, 
we have K = M, i.e., the guesser explores the entire V, 
then uniS*,a^^{S*)) < —Ci — A, which is a contradiction 
with ( ]T3] |. 

Recall from ( ]T2l i that, given a mixed strategy of the picker 
5, for any guesser’s strategy A that is a concatenation of two 


nonempty subsequences A^A!', i.e. A = {A'^A"), we have 
the general relation that; 

ua{S,{A,A')) = ua{S,A) + [1- ^ 5{p'))ua{S,A") ( 14 ) 

p'eA' 

where 6 is the posterior (Bayesian) belief of the guesser about 
the secret of the picker if all the guesses in A' fail, specifically; 
5{p) = 6{p)/ (^1 - Y.p'eA' for ^(P) = 

0 for all p £ A. Now, suppose (A) does not hold, and hence, 
A = {Ai ,..., Ak) £ supp(a®^(<5*)) for a if G M— 

1}. The fact that (Ai,..., Ak) is a best response to 6* implies 
that it should yield the guesser at least as much utility (or 
better) than any alternative strategy. In particular, we must 
have ua{5*, (Ai, ..., A^)) > ua{S*, (Ai,..., A^/)) for all 
K' £ {K + 1,..., M}, where Ai £ Ci for all i = 1,... K'. 
From (pAli, we can write; 


as well. Hence; 

ud{6\cA^{6*)) = - ^ c{p)5*{p) - X5*{^ti^i) (16) 
pev 

We can expand; J2pev c{p)^*ip) as c{p)6*{p) + 

EpGU“ £iC(p)5*(p). For the first term, we have; 

c(p)^*(p) > C'iX;peuf^i£,Hence, @ 

leads to; 

UD{8\a^^{8*)) < (-Cl - A)r (u(liA)- E c(f)<5*(p) 

Because of ( [T3] l, and since X^pgu^ c ^*ip) > (otherwise 
A = (Ai,..., Ak) cannot be a best response to 8*), the above 
inequality further gives; 

un{S:a^^{S*)) < UD{S:a^^{S*))S^{ulAi) - E <P)8*iP) 


ua{8* , (Ai,..., Ak')) = ua{8* , (Ai,..., Ak)) 

+ (l - 8*{uf^-iCi))uAi8, (Aif+i,... ,Ak>)) 

Therefore, we must have (l — (uf£;^>Ci)) = 0 or 

UAi8,{AK+u...,AK')) < 0 for all K' = AT+l,..., M. The 
former means that this best response of the guesser explores 
the entire support of 8*. Recall that in SSE, the follower 
(guesser) breaks the ties among his best responses in favor 
of the leader (picker). Hence, if there was any other best 
response of the guesser that partially explores the supp(^*) 
(or does not explore it at all), then (Ai,... ,Ak) could not 
be in supp(Q;®^(^*)). Hence, we have uk{ 8*,cA^{8*)) = 
~ SpiF-p 8*{p)c{p) — A < —Cl — A, which is contradict¬ 
ing ([f^. 

On the other hand, ua{8,{Ak+i,...,Ak')) < 0 for all 
K' = K + 1,M implies that a®^(^) is just (quit) with 
probability one. To see this, note that 8 preserves the order of 
probabilities across partitions Ck+i, ■ ■ ■ ,^m and is zero over 
partitions £i,... ,Ck- Hence, following Lemmaas before, 
any A £ supp(a®^(^)) can be written as (Ak+i, ■ ■ ■ ,Ak') 
for a K' < M, in which Ai £ Perm(£i) for all i. The utility 
of the guesser to any of such strategies is non-positive. We also 
have M^(^,(quit)) = 0. Hence, (quit) G supp(Q:®^'(^)). 
Moreover, since in a SSE, the follower breaks ties in favor of 
the leader, there is no other strategy in the support of a®^(^), 
since any other strategy of the guesser involves exploring a 
subset of the support of 8, which strictly reduces the utility 
of the picker. Therefore; 

Mn(^,Q;®^(^)) = - E c{p)8{p) (15) 

P^^fLK + Ai 

We show that U£)(<5*, a®^(<5*)) < ud(^, q;®^(^)), contra¬ 
dicting the assumption that 8* is a SSE strategy of the picker. 
Eirst, because (Ai,..., Ak) G supp(Q:®^(^*)), and since the 
guesser breaks his ties in favor of the picker, any strategy in 
supp(q;®^( 5*)) explores the whole partitions of £i,... ,Ck 


which means; 


UD{8*,a^^{8*))<- E <P^ 


8*ip) 


pGUf 


Ep' 




8* ip') 


The right hand side is exactly equal to as given 

in This completes the proof of the lemma. ■ 

The lemma establishes that a SSE strategy of the picker is 
the “cheapest” randomization of her that removes any “strict” 
preference of the guesser to enter the game (if the guesser is 
indifferent whether to enter the game it is assumed that he 
does not, since he breaks ties in favor of the picker in any 
SSE). Next, we show that the picker can restrict her search 
for the cheapest deterring randomizations to only among those 
that assign the same probability within a partition of the same 
cost (i.e., same probability to all members of a given £i). To 
see this, suppose an optimal distribution 8* indeed violates 
this property. Consider an Sp over which, the distribution 
is assigning distinct probabilities, i.e., 3p, p' £ Sj where 
8*{p) 7 ^ 8*{p'). Now consider an alternative distribution 8 
as the following; 8{p) = 8* for all p ^ Sj and 8{p) = 
8*{£i)/\£i\ for all p £ £j. We show that this alternative 
distribution also dissuades the guesser from entering the game, 
and hence, provides the same utility for the picker (because 
the total probability over £j is the same). Consider the 
following partitioning of V: Vi = V 2 = £i and 

Va = For any strategy of the guesser A that only 

includes members Vi, we have; ua{8,A) = ua{8,A). For 
any strategy of the guesser that includes members from Vi 
and V 2 , we can reorder A as (Ai, A 2 ) where Ai only includes 
from Vi and A 2 only from V 2 without changing the value of 
ua{8, A) or ua{8, A). To see this, note that; (1) as we argued 
before, any SSE strategy of the picker assigns non-increasing 
probabilities across £i, hence 8* is non-increasing across £i, 
and by construction, so is 8', ( 2 ) as we discussed before, any 
best response of the guesser tries guesses in decreasing order 
of their picker-assigned probabilities, and changing the order 




among options with the same probability does not affect his 
utility. Now, from the relation in ([T^ we have: 

ua{S*,A)=ua{S*,Ai) + {1- Y, S*{p))ua{S*,A2) 

peAi 

The same can be written for ua{S,A): 

UAiS,A) = UAiS,Ai) + (l - ^ S{p))uAiS,A2) 

peAi 

Note that UAiS*,Ai) = ua{S,Ai) and J2p^Ai^*iP) = 
Thp^Ai Moreover, since d — unif(f 7 ), from Lemma 

we have: ua{S,A 2 ) < ua{S*, A 2 ). Hence, overall, we have: 
ua{S,A) < ua{^*,A). Finally, for any strategy of the 
guesser that includes from Vi, 1^2 and V 3 , following the 
same argument, we can reorder A as (^ 1 ,^ 2 ; ^ 3 ) such that 
each Ai only includes from Vi, i = 1,2,3. Also, by using 
(fUjl twice, noting^ (l - EpeA^ ^(p)) (l “ EpeA 2 ^(p)) = 
we have: 

ua(S*,A)=ua(S*,Ai) + (1- Y S*(p))ua(S*,A2) 

peAi 

+ (1- ^ 6*{p))ua{S*,A3) 

pe{Ai,A2) 

and similarly for Like before, we have: 

UAiS*,Ai) = UAiS,Ai), ua{S*,A3) = ua{S,A3) 

(because I* = I), EpeA^^*iP) = EpeA^Hp)^ and 

EpG(Ai.A 2 > ^*(f) = E.g(Ai.a.> ^(P)- Also, from (a slight 

extension of) Lemma ^ ma(^,^ 2 ) £ ua(^*,^ 2 )- Hence, 
for this case, and therefore for all three cases, we have 
UAiS,A) < ua{S*,A). This means that ua{S*,A) < 0 
implies ua{^,A) < 0 . 

Hence, all that is left to show is that the linear programming 
provided in the proposition, yields the highest utility for the 
picker among the distributions that: ( 1 ) assign equal values 
within each Si, (2) are decreasing across Si, (3) remove any 
strict incentive for the guesser to enter the game, i.e., make 
(quit) a best response of the guesser. To show each of these, 
note that the proposition prescribes Vi/\Si\ as the probability 
for all of the member of Si, hence it satisfies the first property. 
The constraints of > 0 for all i, and Ef=i — 1’ 
ensure that the solution is indeed a legitimate mixed strategy 
of the picker. The constraints Vi/\Si\ > for 

i = 1,... ,N — 1 ascertain the second property listed above. 
Finally, the remaining inequalities ensure the third property, 
as we show next. 

Suppose the mixed strategy of the picker is 5{p) = Vi/\Si\ 
for all p G Si, i = 1,... ,N. Consider a guesser’s strategy 
A = {Ai,...,Ak) for some K G iV}, where 

Ai G Perm(£i). That is, trying all the partitions thor¬ 
oughly and sequentially from the cheapest partition up to 
partition K upon failed guesses. Then the expected utility 
of the guesser is the following: ua{S,A) = 7E^i - 


^Ef=i |f.l(i-E;;>7)-(|fd-iW2 


. There are at 


least two ways to obtain this equality: 

Method 1 - using conditional expectation: The secret is 
in the first partition with probability ^ 1 . Conditioning on the 
secret being from partition 1, following Lemma|^ the expected 
utility of the guesser is 7 — cr(|£i| + l)/2. With probability 
(1 — lyi), the secret is not from partition 1. In that case, the 
expected utility of the guesser is —cr|£i| plus the expected 
utility of exploring the rest of the K — 1 partitions given that 
the secret is not from partition 1. Continuing this procedure, 
we have: 
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UA 


(^,A)=Y 


("r 


J^il + 1 


E i—1 

7=1 


- cr|£i|(l - 


1 - 


( 1 -E-.) 


which simplifies to: 
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Method 2 - the direct way: We have; 

K 


K 

ua{S,A) = 7E^*“'^EE 
2=1 /^1 

2-1 
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2 = 1 
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1 - - TFT^») 


i=i 


\S^ 


= 7E'^*“'^E 




i=i 


\S^ 


Which simplifies to the same expression as before. This 
concludes the proof of the proposition. ■ 






















